fileServingEnabled set to true leaves possibility of
JavaServer Pages (JSP) source code exposure.
Download Description
PK23475 resolves the following problem:
ERROR DESCRIPTION:
Source code may be exposed when a request is made for a JSP which is
available based on file serving (e.g.: fileServingEnabled set to true in
the associated ibm-web-ext.xml file).
Further source code may be exposed when a JSP is placed outside a WAR.file
for IBM® WebSphere® Application Server V5.1.1.9 with PK20181. The problem
happens when the customer maintains the jsp file outside of the WAR.file
using IBM extension features called ExtendedDocumentRoot with file serving
enabled (as defined in the ibm-web-ext.xmi file in the WAR.file module).
LOCAL FIX:
In the interim, the customer can turn off file serving, or, in the case of
using an Extended Document directory to designate separate directories or
jars for JSP and fileServing extended document root values which would
resolve this.
PROBLEM SUMMARY
USERS AFFECTED:
Customers who provide JSPs for access based on file serving
(fileServingEnabled set to true).
PROBLEM DESCRIPTION:
fileServingEnabled set to true leaves possibility of JSP source code
exposure.
RECOMMENDATION:
None
If fileSevingEnabled is set to true there is a risk that the source code
of the JSP will be exposed, for example, when access to the JSP is
requested from a browser based on a particular format of request and which
makes use of the file serving enablement. This is potentially a security
issue. The problem does not exist if fileServingEnabled is false. The
problem also occurs when a JSP is served from an extendedDocumentRoot
directory.
PROBLEM CONCLUSION:
The code has been updated to prevent access to jsp source code when
fileServingEnabled is set to true. The same level of checking is performed
whether a JSP is accessed from either a subdirectory of the application
war directory or an extendedDocumentRoot directory with fileServingEnabled
set to true.
Note: For Versions 5.1.0.5 and 5.1.1 - 5.1.1.3 APAR fix PK28963 must also
be installed.
The fix for this APAR is currently targeted for inclusion in cumulative
fix versions 5.1.1.12 and fixpacks 6.0.2.13 and 6.1.0.2.