PQ66590: WITH JSP 1.1 THE WEB USER CAN ENTER A FAKE DIRECTORY AND JSP FILE AFTER THE CONTEXT ROOT AND THE DIRECTORY WILL BE CREATED

A fix is available
WebSphere Application Server Version 3.5 Fix Pack 7 (3.5.7)

APAR

APAR status
Closed as program error.

Error description
If a person surfing the web goes to your website and enters the
correct context root but a fake directorys and jsp files after
that, the directories are created no the jsp files.  The user
see an error in the browser but they can keep create new
directories in Websphere until the server fails to work anymore
since so much memory is used up.  Now the jsps cannot compile
and the website is usless.
Local fix
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server installations   *
*                 running jsp 1.1.                             *
****************************************************************
* PROBLEM DESCRIPTION: WebSphere is creating empty             *
*                      directories when url request is made    *
*                      for non-existent JSPs.                  *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When a user requests a jsp that does not exist, a 404 error
is returned to the client.  However, during the check to
see if the file exists, the directory structure was being
created in preparation for the conversion of the jsp to
a .class file.
Problem conclusion
Added a check to see if the jsp file exists prior to creating
the temp directory structure.
Temporary fix
Comments
APAR information
APAR numberPQ66590
Reported component nameWAS ADVANCED AI
Reported component ID5648C8400
Reported release350
StatusCLOSED PER
PENoPE
HIPERNoHIPER
Submitted date2002-09-25
Closed date2002-09-25
Last modified date2002-09-25

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:APAR is sysrouted FROM one or more of the following:


Modules/Macros
JSP
APAR is sysrouted TO one or more of the following:Modules/Macros

Fix information
Fixed component nameWAS ADVANCED AI
Fixed component ID5648C8400

Applicable component levels
R350 PSYUP











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, General
Software version: 350
Reference #: PQ66590
IBM Group: Software Group
Modified date: 2002-09-25