FYI: An update, here's IBM's (well, the guy works in IBM, but doesn't say whether or not this is an official IBM response) response: > -----Original Message----- > From: Mike Turk [mailto:firstname.lastname@example.org] > Sent: Monday, November 12, 2001 2:08 PM > To: bugtraq > Subject: Re: IBM AS/400 HTTP Server '/' attack > > > Mailer: SecurityFocus > In-Reply-To: <3BEA999D.email@example.com> > > It is possible through HTTP server and servlet engine configurations > that HTML and/or JSP source could be view at the browser. > > HTTP Server There are configuration settings that could be made > where JSP source could be displayed in the browser, such as > placing JSPs in the document root of the HTTP server. Also, in > regards to html pages, if you use a PASS directive that allow all > file types to be served > (e.g. Pass /MYsamples/* /QIBM/UserData/MyHtml/*) then you > could see the HTML source. If the directive is qualified by file type > (e.g. Pass /MYsamples/*.html /QIBM/UserData/MyHtml/*) you can prevent > the request ending with '/' from being serviced. > > Servlet Engine: > The problem description does not mention what Servlet > engine/JSP processor > that is being used. If it is WebSphere, if you have a file serving > servlet in your web application, it will try to service the > request for > http://www.foo.com/getsource.jsp/. Like the PASS example > above, if you > limit the types of requests to be served my the simple file > servlet by file type, > you can prevent the source from being displayed. To do so: > 1. select the simple file servlet for the web app. > 2. modify the URI in the servlet web path list. > a) start by modifying the existing URI. It may look > something like > default_host/webapp/myapp/ > b) change to something like default_host/webapp/myapp/*.html > 3. Continue adding URIs for other file types (*.gif, etc...) > 4. Click Apply > 5. Restart the web application
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.