COMMAND

    WebSphere

SYSTEMS AFFECTED

    IBM WebSphere Application Server 3.0.2

PROBLEM

    Following is  based on  Foundstone Security  Advisory by  Shreeraj
    Shah  and  Saumil  Shah.   A  show  code vulnerability exists with
    IBM's Websphere allowing  an attacker to  view the source  code of
    any file within the web document root of the web server.

    IBM  WebSphere  uses  Java  Servlets  to handle parsing of various
    types  of  pages  (for  example,  HTML,  JSP,  JHTML,  etc).    In
    addition to  different servlets  for handling  different kinds  of
    pages,  WebSphere  also  has  a  default  servlet  which is called
    upon if a requested file does not have a registered handler.

    It is possible to force the  default servlet to be invoked if  the
    file  path  in  the  URL  is prefixed with "/servlet/file/", which
    causes pages to be displayed without being parsed or compiled.

    It  is  easy  to  verify  this  vulnerability  for a given system.
    Prefixing the path to web  pages with "/servlet/file/" in the  URL
    causes the file to be displayed without being parsed or  compiled.
    For example if the URL for a file "login.jsp" is:

        http://site.running.websphere/login.jsp

    then accessing

        http://site.running.websphere/servlet/file/login.jsp

    would cause the unparsed  contents of the file  to show up in  the
    web browser.

SOLUTION

    Remove the InvokerServlet  from the webapplication.   Fix is  APAR
    PQ39857 that will be available soon at the site:

        http://www-4.ibm.com/software/webservers/appserv/efix.html