Possible security exposure with JavaServer Page (JSP) and IBM WebSphere Application Server
 Flash (Alert)
 
Abstract
With IBM® WebSphere® Application Server, the use of specific characters in JSP URLs might expose JavaServer Pages (JSP) source code rather than the JSP page. With these APAR fixes, an error code or the formatted output, as appropriate, will properly be displayed instead.
 
Content
A possible security exposure has been identified in Application Server in which, based on 4 different configurations, raw JSP source content may be served to a browser. The configurations are as follows:
  • Serving a JSP from an Application WAR. Access is possible to a JSP file which is stored under the application war directory when fileServingEnabled is set to true in the ibm.web.ext.xmi file.
  • Serving a JSP from an Extended Document Root. Access is possible to a JSP file from an extendedDocumentRoot directory when fileServingEnabled is set to true in the ibm.web.ext.xmi file.
  • Serving a JSP from an Application WAR with servlet caching enabled. Same as the first scenario, but with servlet caching enabled and with a caching policy which uses the com.ibm.ws.webcontainer.servlet.SimpleFileServlet.class for servlet caching.
  • Serving a JSP from an Extended Document Root with Servlet Caching enabled. Same as the second scenario, but with servlet caching enabled and with a caching policy which uses the com.ibm.ws.webcontainer.servlet.SimpleFileServlet.class for servlet caching.

This document addresses these four identified configurations only. For example, if servlet caching is enabled and a different class from com.ibm.ws.webcontainer.servlet.SimpleFileServlet.class is used for servlet caching, it may be possible for such a different class to cause an exposure.

If any of these methods are used, a fix may or may not be required depending on the method enabled, and the level of WebSphere Application Server and operating system in use. Details of the APARs required are included below. Note that after any required APAR(s) is applied, the browser will either display an error code or it will display the properly formatted output, whichever is the appropriate response.


For WebSphere Application Server for Distributed Platforms:
For V6.1.0.2 through 6.1.0.3 (for Microsoft® Windows® only):
If servlet caching is enabled as previously described:
For V6.1 through 6.1.0.1:
For V6.0.2.13 through 6.0.2.15 (for Microsoft Windows Only):
If servlet caching is enabled as previously described:
For V6.0.2.5 to 6.0.2.11:
For V6.0.2.3:

For V6.0.2 through 6.0.2.1:
For V6.0.0.2 through 6.0.1.2:
For V6.0.0.1:
For V5.1.1.11:
If serving files from an Extended Document Root without servlet caching enabled or with servlet caching enabled as previously described:
For V5.1.1.9 (for Microsoft Windows only):
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described: Otherwise:
For V 5.1.1.4 through 5.1.1.10 (for IBM AIX, Linux, Solaris, HP-UX) and V5.1.1.4 through 5.1.1.8 and 5.1.1.10 (for Microsoft Windows):
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described: Otherwise:
For V5.1.1.3:
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
For V5.1.0.2 through 5.1.1.2:
For V5.1 through 5.1.0.1:
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described: Otherwise:
For V5.0.2.18:
For V5.0.2.10 to 5.0.2.17:
For V5.0.2.8 to 5.0.2.9 (for Microsoft Windows only):
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described: Otherwise:
For V5.0.2.5 to 5.0.2.7 (for Microsoft Windows only):
For V5.0.2.2 to 5.0.2.4 (for Microsoft Windows only):
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described: Otherwise:
For V5.0.2.2to 5.0.2.9 (for IBM AIX, Linux, Solaris, HP-UX):
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
For V5.0.2to 5.0.2.1 :
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described: Otherwise:
For V5.0.1:
  • For Microsoft Windows only:
  • For IBM AIX, Linux, Solaris, HP-UX:
    If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described: Otherwise:

For V5.0:
  • For Microsoft Windows only:
    If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
  • For IBM AIX, Linux, Solaris, HP-UX:
    If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described: Otherwise:

For V4.0.5 through 4.0.7:
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described: Otherwise:
For V4.0.3 through 4.0.4:
Upgrade to V4.0.5, or later, available from Recommended Fixes for WebSphere Application Server and then follow the instructions previously described, for the new upgraded level.

Back to top


For IBM WebSphere Application Server for z/OS platforms:

For V6.1.0.2 through 6.1.0.4:
  • Apply APAR PK36741 (PK32374), for Cumulative Fix Pack 5 (V6.1.0.5), or later.
    • 6.1.0.5 PTFs are UK20982, UK21009, UK21015, UK21016, UK21017, and UK21027.

For V6.0.2.13 through 6.0.2.16:
  • Apply APAR PK35633 (PK32374), for Cumulative Fix Pack 17 (V6.0.2.17), or later.
    • 6.0.2.17 PTFs are UK20459, UK20460, and UK20461.

For V5.1 prior to W510236:
  • Apply APAR PK27728 (PTF UK16713) for service level W510236, or later.

For V5.0 prior to W502042:
  • Apply APAR PK27727 (PTF UK17760) for service level W502042, or later.

Back to top


For IBM WebSphere Application Server for iSeries, i5/OS, and OS/400 platforms:

For V6.1 through 6.1.0.1:
  • Apply APAR PK23475
    Or
  • Apply the current WebSphere Application Server group PTF and install the fix pack according to the group PTF instructions.

For V6.0.2.5 to 6.0.2.11:
  • Apply APAR PK23475
    Or
  • Apply the current WebSphere Application Server group PTF and install the fix pack according to the group PTF instructions.

For V6.0.2.3:
If servlet caching is enabled as previously described:
  • Apply APAR PK32374
    Or
  • Apply the current WebSphere Application Server group PTF and install the fix pack according to the group PTF instructions.
Otherwise:
  • Apply APAR PK23475
    Or
  • Apply the current WebSphere Application Server group PTF and install the fix pack according to the group PTF instructions.

For V6.0.2 through 6.0.2.1:
If serving files from an Extended Document Root without servlet caching enabled as previously described:
  • Apply APAR PK23475
    Or
  • Apply the current WebSphere Application Server group PTF and install the fix pack according to the group PTF instructions.
Otherwise:
  • Apply either APAR PK23475 or APAR PK22928
    Or
  • Apply the current WebSphere Application Server group PTF and install the fix pack according to the group PTF instructions.

For V6.0.0.2 through 6.0.1.2:
If serving files from an Extended Document Root without servlet caching enabled as previously described:
  • Apply APAR PK23475
    Or
  • Apply the current WebSphere Application Server group PTF and install the fix pack according to the group PTF instructions.
Otherwise:
  • Apply either APAR PK23475 or APAR PK22928
    Or
  • Apply the current WebSphere Application Server group PTF and install the fix pack according to the group PTF instructions.

For V6.0.0.1:
If serving files from an Extended Document Root without servlet caching enabled as previously described:
  • Apply APAR PK23475
    Or
  • Apply the current WebSphere Application Server group PTF and install the fix pack according to the group PTF instructions.
Otherwise:
  • Apply either APAR PK23475 or APAR PK22928
    Or
  • Apply the current WebSphere Application Server group PTF and install the fix pack according to the group PTF instructions.

For V5.0 and V5.1:
  • Apply the current WebSphere Application Server group PTF.

Back to top
Change History
August 2007 Changed "For V5.0.2.10 to 5.0.2.18:
Apply APAR PK23475" to "For V5.0.2.18:
Apply APAR PK43894. For V5.0.2.10 to 5.0.2.17: Apply APAR PK23475". (Added APAR PK43894 for release 5.0.2.18 only.)
Added 'change history' table.
March 2007 Changed "5.0.2 to 5.0.2.2" to "V5.0.2.2 to 5.0.2.4" and added "For V5.0.2 to 5.0.2.1: If serving files from an extended document root without servlet cashing enables or with service caching enavled as previously described: Apply APAR PK23475 Otherwise: Apply either APAR PK23475 or APAR PQ91033".
August 2006 Created and published JSP Security Exposure Flash for WebSphere Application Server.
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server - Express General AIX, HP-UX, Linux, Solaris, Windows 6.0, 5.1, 5.0 All Editions
Application Servers WebSphere Application Server Enterprise General AIX, HP-UX, Linux, Solaris, Windows 5.1, 5.0, 4.0 All Editions
Application Servers WebSphere Application Server for z/OS Servlet Engine/Web Container OS/390, z/OS 6.0.1, 5.1, 5.0 All Editions
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Current web document: swg21243541.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s): z/OS
Software version: 6.1
Software edition:
Reference #: 1243541
IBM Group: Software Group
Modified date: Aug 20, 2007