|
FYI.... > -----Original Message----- > From: 'ken'@FTU > Sent: Thursday, November 08, 2001 8:42 AM > To: bugtraq > Subject: IBM AS/400 HTTP Server '/' attack > > > IBM's HTTP Server on the AS/400 platform is vulnerable to an attack > that will show the source code of the page -- such as an .html or .jsp > page -- by attaching an '/' to the end of a URL. > > Compare these two URL's: > > http://www.foo.com/getsource.jsp > > http://www.foo.com/getsource.jsp/ > > The later URL will deliver the jsp source to the browser. > > I reported this problem to IBM approximately 9 or 10 months ago. > > I was told it was a bug but not a security vulnerability. When I > explained that Microsoft had a similar bug (asp dot bug) they told me > that "they did not share the same source code base." I replied to this > ludicrous reply: "Isn't it possible that since you developed servers > that function in a similar manner you have the same logical bug?" To > this they were speechless. I imagine that a .jsp page could > contain user > names and passwords if they are accessing databases, > especially if these > databases are on the network. > > By the way, the IBM HTTP server was derived from an early version of > Apache. I have not seen Apache servers vulnerable to this bug. > > Since I reported this "non-security" bug so long ago I hope > it is fixed > through the regular set of changes. I cannot confirm this bug > was fixed. > As far as I know this vulnerability was not yet reported to > the public. > > 'ken' > >
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
