|
Abstract |
A Potential security exposure exists for static content
secured in WebSphere® Application Server V5.0 through V5.0.2.2 and V5.1
when Edge Side Include (ESI) caching is enabled. |
|
Content |
The SimpleFileServlet in the WebSphere Web Container
processes secured as well as unsecured static pages (such as html or gif
files) of web applications. To improve overall performance, ESI cache in
the plug-in can cache this content. Under certain circumstances,
unauthorized users may be able to access the secured static content from
the ESI cache without authenticating through the WebSphere security
infrastructure.
This exposure affects you only if your configuration meets all of the
conditions below
- The SimpleFileServlet for the Web Application is
enabled.
You can set fileServingEnabled attribute to false in the ibm-web-ext.xmi
file in the WEB-INF directory of the WAR and restart the AppServer, if you
want to disable it. Keep in mind, if you disable SimpleFileServlet,
WebSphere Application Server will stop serving all static contents for
this web application.
- The ESI Cache component is enabled in the WebSphere
plug-in.
You may disable the ESI cache in the plug-in. To do this, set ESIEnable to
false in the plugin-cfg.xml file. For example: <Property
Name="ESIEnable" Value="false"/>. Please note that you may suffer
performance degradation for static contents.
- Your web application contains secure static pages
secured by WebSphere Application Server security component.
This exposure affects only web applications with secured static pages
deployed in the WebSphere Application server. Dynamic pages, such as
servlets and JSPs, deployed in the WebSphere Application Server are not
affected because requests for this content is not processed by the
SimpleFileServlet.
An interim fix PQ81192 is available for IBM WebSphere
Application Server version V5.0s & V5.1.
Click on the link below to download this APAR fix:
http://www.ibm.com/support/docview.wss?uid=swg24005947
After you apply this fix, ESI components will only cache non-secured
static contents of the web application. |
|
|
|
|
|
|