IBM WebSphere Application Server Web Server Root JSP Source Code Disclosure Vulnerability
BID:13160
Info
IBM WebSphere Application Server Web Server Root JSP Source Code Disclosure Vulnerability
| Bugtraq ID: | 13160 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 13 2005 12:00AM |
| Updated: | Apr 13 2005 12:00AM |
| Credit: | "SPI Labs" <[email protected]> is credited with the disclosure of this issue. |
| Vulnerable: |
IBM Websphere Application Server 6.0 IBM Websphere Application Server 5.1.1 .3 IBM Websphere Application Server 5.1.1 .2 IBM Websphere Application Server 5.1.1 .1 IBM Websphere Application Server 5.1.1 IBM Websphere Application Server 5.1 .0.5 IBM Websphere Application Server 5.1 .0.4 IBM Websphere Application Server 5.1 .0.3 IBM Websphere Application Server 5.1 .0.2 IBM Websphere Application Server 5.1 IBM Websphere Application Server 5.0.2 .9 IBM Websphere Application Server 5.0.2 .8 IBM Websphere Application Server 5.0.2 .7 IBM Websphere Application Server 5.0.2 .6 IBM Websphere Application Server 5.0.2 .5 IBM Websphere Application Server 5.0.2 .4 IBM Websphere Application Server 5.0.2 .3 IBM Websphere Application Server 5.0.2 .1 IBM Websphere Application Server 5.0.2 IBM Websphere Application Server 5.0.1 IBM Websphere Application Server 5.0 |
| Not Vulnerable: | |
Discussion
IBM WebSphere Application Server Web Server Root JSP Source Code Disclosure Vulnerability
A remote JSP source disclosure vulnerability reportedly affects the IBM WebSphere Application Server. This issue is due to a failure of the application to properly handle various requests under certain circumstances.
It should be noted that this issue only arises when the Web serve and application server root directories reside in the same location; this is not the default configuration.
An attacker may leverage this issue to disclose JSP source code, facilitating code theft as well as potential further attacks.
A remote JSP source disclosure vulnerability reportedly affects the IBM WebSphere Application Server. This issue is due to a failure of the application to properly handle various requests under certain circumstances.
It should be noted that this issue only arises when the Web serve and application server root directories reside in the same location; this is not the default configuration.
An attacker may leverage this issue to disclose JSP source code, facilitating code theft as well as potential further attacks.
Exploit / POC
IBM WebSphere Application Server Web Server Root JSP Source Code Disclosure Vulnerability
No exploit is required to leverage this issue. The following proof of concept has been provided:
GET /index.jsp HTTP/1.0
Host: NonExistentHost
No exploit is required to leverage this issue. The following proof of concept has been provided:
GET /index.jsp HTTP/1.0
Host: NonExistentHost
Solution / Fix
IBM WebSphere Application Server Web Server Root JSP Source Code Disclosure Vulnerability
Solution:
IBM has released the "JavaServer Pages source code shown by the Web server" information center document dealing with this issue. The referenced document states that this issue is resolved by assuring that the affected application server and the Web server should reside in separate root directories. Please see the referenced document for more details.
Solution:
IBM has released the "JavaServer Pages source code shown by the Web server" information center document dealing with this issue. The referenced document states that this issue is resolved by assuring that the affected application server and the Web server should reside in separate root directories. Please see the referenced document for more details.
References
IBM WebSphere Application Server Web Server Root JSP Source Code Disclosure Vulnerability
References:
References: