PK23475; possible JSP source code exposure
 Downloadable files
 
Abstract
fileServingEnabled set to true leaves possibility of JavaServer Pages (JSP) source code exposure.
 
Download Description
PK23475 resolves the following problem:

ERROR DESCRIPTION:

Source code may be exposed when a request is made for a JSP which is available based on file serving (e.g.: fileServingEnabled set to true in the associated ibm-web-ext.xml file).

Further source code may be exposed when a JSP is placed outside a WAR.file for IBM® WebSphere® Application Server V5.1.1.9 with PK20181. The problem happens when the customer maintains the jsp file outside of the WAR.file using IBM extension features called ExtendedDocumentRoot with file serving enabled (as defined in the ibm-web-ext.xmi file in the WAR.file module).

LOCAL FIX:
In the interim, the customer can turn off file serving, or, in the case of using an Extended Document directory to designate separate directories or jars for JSP and fileServing extended document root values which would resolve this.

PROBLEM SUMMARY

USERS AFFECTED:
Customers who provide JSPs for access based on file serving (fileServingEnabled set to true).

PROBLEM DESCRIPTION:
fileServingEnabled set to true leaves possibility of JSP source code exposure.

RECOMMENDATION:
None

If fileSevingEnabled is set to true there is a risk that the source code of the JSP will be exposed, for example, when access to the JSP is requested from a browser based on a particular format of request and which makes use of the file serving enablement. This is potentially a security issue. The problem does not exist if fileServingEnabled is false. The problem also occurs when a JSP is served from an extendedDocumentRoot directory.

PROBLEM CONCLUSION:
The code has been updated to prevent access to jsp source code when fileServingEnabled is set to true. The same level of checking is performed whether a JSP is accessed from either a subdirectory of the application war directory or an extendedDocumentRoot directory with fileServingEnabled set to true.

Note: For Versions 5.1.0.5 and 5.1.1 - 5.1.1.3 APAR fix PK28963 must also be installed.

The fix for this APAR is currently targeted for inclusion in cumulative fix versions 5.1.1.12 and fixpacks 6.0.2.13 and 6.1.0.2.

Please refer to the recommended updates page for delivery information:
General/swg27004980.html
 
Prerequisites
Please download the UpdateInstaller below to install this fix.
 
URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7250000
 
 
Installation Instructions
Please review the readme.txt for detailed installation instructions.
 
URL LANGUAGE SIZE(Bytes)
Readme US English 14922
 
Download package
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
6.1-6.1.0.1-WS-WAS-IFPK23475 10/23/2006 US English 35408 FTP DD
6.0.2.11-WS-WAS-IFPK23475 10-23-2006 US English 37916 FTP DD
6.0.2.7-6.0.2.9-WS-WAS-IFPK23475 10-23-2006 US English 37844 FTP DD
6.0.2-6.0.2.5-WS-WAS-IFPK23475 10/23/2006 US English 34167 FTP DD
6.0.0.3-6.0.1.2-WS-WAS-IFPK23475 3/6/2007 US English 26226 FTP DD
6.0.0.1-6.0.0.2-WS-WAS-IFPK23475 3/6/2007 US English 28249 FTP DD
5.1.1.5-5.1.1.11-PK23475_Fix 10-23-2006 US English 10893 FTP DD
5.1.1-5.1.1.4-PK23475_Fix 10-23-2006 US English 10724 FTP DD
5.1.0.5-PK23475_Fix 10-23-2006 US English 10651 FTP DD
5.1.-5.1.0.4-PK23475_Fix 3/6/2007 US English 9927 FTP DD
5.0.2.18-PK23475_Fix 10-23-2006 US English 10291 FTP DD
5.0.2.12-5.0.2.17-PK23475_Fix 3/6/2007 US English 10188 FTP DD
5.0.2-5.0.2.11-PK23475_Fix 3/6/2007 US English 10414 FTP DD
5.0.1-PK23475_Fix 3/6/2007 US English 9522 FTP DD
5.0-PK23475_Fix 3/6/2007 US English 9132 FTP DD
4.0.7-PK23475_Fix 10/23/2006 US English 1072411 FTP DD
4.0.5-4.0.6-PK23475_Fix 3/6/2007 US English 1072416 FTP DD
 
Technical support
Contact IBM Support using ESR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
Problems (APARS) fixed
PK23475
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Servlet Engine/Web Container
Operating system(s): i5/OS
Software version: 6.1
Software edition:
Reference #: 4013827
IBM Group: Software Group
Modified date: Mar 7, 2007