FYI:

An update, here's IBM's (well, the guy works in IBM, but doesn't say whether
or not this is an official IBM response) response:

> -----Original Message-----
> From: Mike Turk [mailto:mcturk@us.ibm.com]
> Sent: Monday, November 12, 2001 2:08 PM
> To: bugtraq
> Subject: Re: IBM AS/400 HTTP Server '/' attack
>
>
> Mailer: SecurityFocus
> In-Reply-To: <3BEA999D.4070304@yahoo.com>
>
> It is possible through HTTP server and servlet engine configurations
> that HTML and/or JSP source could be view at the browser.
>
> HTTP Server There are configuration settings that could be made
> where JSP source could be displayed in the browser, such as
> placing JSPs in the document root of the HTTP server.  Also, in
> regards to html pages, if you use a PASS directive that allow all
> file types to be served
> (e.g. Pass /MYsamples/* /QIBM/UserData/MyHtml/*) then you
> could see the HTML source.  If the directive is qualified by file type
> (e.g. Pass /MYsamples/*.html /QIBM/UserData/MyHtml/*) you can prevent
> the request ending with '/' from being serviced.
>
> Servlet Engine:
> The problem description does not mention what Servlet
> engine/JSP processor
> that is being used.  If it is WebSphere, if you have a file serving
> servlet in your web application, it will try to service the
> request for
> http://www.foo.com/getsource.jsp/.  Like the PASS example
> above, if you
> limit the types of requests to be served my the simple file
> servlet by file type,
> you can prevent the source from being displayed.  To do so:
> 1.  select the simple file servlet for the web app.
> 2.  modify the URI in the servlet web path list.
>      a) start by modifying the existing URI.  It may look
> something like
> default_host/webapp/myapp/
>      b) change to something like  default_host/webapp/myapp/*.html
> 3.  Continue adding URIs for other file types (*.gif, etc...)
> 4.  Click Apply
> 5.  Restart the web application


As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.