Potential Security Exposure for Secured Static Content in all Releases of V5.0 and V5.1
 Flash (Alert)
 
Abstract
A Potential security exposure exists for static content secured in WebSphere® Application Server V5.0 through V5.0.2.2 and V5.1 when Edge Side Include (ESI) caching is enabled.
 
Content
The SimpleFileServlet in the WebSphere Web Container processes secured as well as unsecured static pages (such as html or gif files) of web applications. To improve overall performance, ESI cache in the plug-in can cache this content. Under certain circumstances, unauthorized users may be able to access the secured static content from the ESI cache without authenticating through the WebSphere security infrastructure.

This exposure affects you only if your configuration meets all of the conditions below
  • The SimpleFileServlet for the Web Application is enabled.
    You can set fileServingEnabled attribute to false in the ibm-web-ext.xmi file in the WEB-INF directory of the WAR and restart the AppServer, if you want to disable it. Keep in mind, if you disable SimpleFileServlet, WebSphere Application Server will stop serving all static contents for this web application.
  • The ESI Cache component is enabled in the WebSphere plug-in.
    You may disable the ESI cache in the plug-in. To do this, set ESIEnable to false in the plugin-cfg.xml file. For example: <Property Name="ESIEnable" Value="false"/>. Please note that you may suffer performance degradation for static contents.
  • Your web application contains secure static pages secured by WebSphere Application Server security component.

This exposure affects only web applications with secured static pages deployed in the WebSphere Application server. Dynamic pages, such as servlets and JSPs, deployed in the WebSphere Application Server are not affected because requests for this content is not processed by the SimpleFileServlet.

An interim fix PQ81192 is available for IBM WebSphere Application Server version V5.0s & V5.1.

Click on the link below to download this APAR fix:

http://www.ibm.com/support/docview.wss?uid=swg24005947

After you apply this fix, ESI components will only cache non-secured static contents of the web application.
 
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Servlet Engine/Web Container
Operating system(s): HP-UX
Software version: 5.0.2.2
Software edition:
Reference #: 1153603
IBM Group: Software Group
Modified date: Dec 4, 2003