|
Abstract |
With IBM® WebSphere® Application Server, the use of
specific characters in JSP URLs might expose JavaServer Pages (JSP) source
code rather than the JSP page. With these APAR fixes, an error code or the
formatted output, as appropriate, will properly be displayed instead. |
|
|
|
Content |
A possible security exposure
has been identified in Application Server in which, based on 4 different
configurations, raw JSP source content may be served to a browser. The
configurations are as follows:
- Serving a JSP from an Application WAR. Access is possible
to a JSP file which is stored under the application war directory when
fileServingEnabled is set to true in
the ibm.web.ext.xmi file.
- Serving a JSP from an Extended Document Root. Access is
possible to a JSP file from an extendedDocumentRoot directory
when fileServingEnabled is set to true in the
ibm.web.ext.xmi file.
- Serving a JSP from an Application WAR with servlet caching
enabled. Same as the first scenario, but with servlet caching enabled and
with a caching policy which uses the
com.ibm.ws.webcontainer.servlet.SimpleFileServlet.class for
servlet caching.
- Serving a JSP from an Extended Document Root with Servlet
Caching enabled. Same as the second scenario, but with servlet caching
enabled and with a caching policy which uses the
com.ibm.ws.webcontainer.servlet.SimpleFileServlet.class for
servlet caching.
This document addresses these four identified configurations only.
For example, if servlet caching is enabled and a different class from
com.ibm.ws.webcontainer.servlet.SimpleFileServlet.class is used
for servlet caching, it may be possible for such a different class to
cause an exposure.
If any of these methods are used, a fix may or may not be required
depending on the method enabled, and the level of WebSphere Application
Server and operating system in use. Details of the APARs required are
included below. Note that after any required APAR(s) is applied, the
browser will either display an error code or it will display the properly
formatted output, whichever is the appropriate response.
For WebSphere Application Server for Distributed Platforms:
For V6.1.0.2 through 6.1.0.3 (for
Microsoft® Windows® only):
If servlet caching is enabled as previously described:
For V6.1 through 6.1.0.1:
- For Microsoft Windows only:
If servlet caching is enabled as previously described:
Otherwise:
- For IBM AIX®, Linux®, Solaris, HP-UX:
For V6.0.2.13 through 6.0.2.15 (for Microsoft Windows
Only):
If servlet caching is enabled as previously described:
For V6.0.2.5 to 6.0.2.11:
- For Microsoft Windows Only:
If servlet caching is enabled as previously described:
Otherwise:
- For IBM AIX, Linux, Solaris, HP-UX:
For V6.0.2.3:
- For Microsoft Windows Only:
If servlet caching is enabled as previously described:
Otherwise:
- For IBM AIX, Linux, Solaris, HP-UX:
If servlet caching is enabled as previously described:
Otherwise:
|
For V6.0.2 through 6.0.2.1:
- For Microsoft Windows Only:
If servlet caching is enabled as previously described:
Otherwise:
- For IBM AIX, Linux, Solaris, HP-UX:
If serving files from an Extended Document Root without servlet caching
enabled as previously described:
Otherwise:
For V6.0.0.2 through 6.0.1.2:
- For Microsoft Windows Only:
If servlet caching is enabled as previously described:
If serving files from an Extended Document Root without servlet caching
enabled as previously described:
Otherwise:
- For IBM AIX, Linux, Solaris, HP-UX:
If serving files from an Extended Document Root without servlet caching
enabled as previously described:
Otherwise:
For V6.0.0.1:
- For Microsoft Windows Only:
If servlet caching is enabled as previously described:
Otherwise:
- For IBM AIX, Linux, Solaris, HP-UX:
If serving files from an Extended Document Root without servlet caching
enabled as previously described:
Otherwise:
For V5.1.1.11:
If serving files from an Extended Document Root without servlet caching
enabled or with servlet caching enabled as previously described:
For V5.1.1.9 (for Microsoft Windows only):
If serving files from an Extended Document Root without servlet caching
enabled or with service caching enabled as previously described:
Otherwise:
For V 5.1.1.4 through 5.1.1.10 (for IBM AIX, Linux, Solaris, HP-UX)
and V5.1.1.4 through 5.1.1.8 and 5.1.1.10 (for Microsoft Windows):
If serving files from an Extended Document Root without servlet caching
enabled or with service caching enabled as previously described:
Otherwise:
For V5.1.1.3:
If serving files from an Extended Document Root without servlet caching
enabled or with service caching enabled as previously described:
For V5.1.0.2 through 5.1.1.2:
- For Microsoft Windows only:
If serving files from an Extended Document Root without servlet caching
enabled or with service caching enabled as previously described:
Otherwise:
- For IBM AIX, Linux, Solaris, HP-UX:
If serving files from an Extended Document Root without servlet caching
enabled or with service caching enabled as previously described:
Otherwise:
For V5.1 through 5.1.0.1:
If serving files from an Extended Document Root without servlet caching
enabled or with service caching enabled as previously described:
Otherwise:
For V5.0.2.18:
For V5.0.2.10 to 5.0.2.17:
For V5.0.2.8 to 5.0.2.9 (for Microsoft
Windows only):
If serving files from an Extended Document Root without servlet caching
enabled or with service caching enabled as previously described:
Otherwise:
For V5.0.2.5 to 5.0.2.7 (for Microsoft Windows only):
For V5.0.2.2 to
5.0.2.4 (for Microsoft Windows only):
If serving files from an Extended Document Root without servlet caching
enabled or with service caching enabled as previously described:
Otherwise:
For V5.0.2.2to
5.0.2.9 (for IBM AIX, Linux, Solaris, HP-UX):
If serving files from an Extended Document Root without servlet caching
enabled or with service caching enabled as previously described:
For V5.0.2to 5.0.2.1 :
If serving files from an Extended Document Root without servlet caching
enabled or with service caching enabled as previously described:
Otherwise:
For V5.0.1:
- For Microsoft Windows only:
- For IBM AIX, Linux, Solaris, HP-UX:
If serving files from an Extended Document Root without servlet caching
enabled or with service caching enabled as previously described:
Otherwise:
For V5.0:
- For Microsoft Windows only:
If serving files from an Extended Document Root without servlet caching
enabled or with service caching enabled as previously described:
- For IBM AIX, Linux, Solaris, HP-UX:
If serving files from an Extended Document Root without servlet caching
enabled or with service caching enabled as previously described:
Otherwise:
For V4.0.5 through 4.0.7:
If serving files from an Extended Document Root without servlet caching
enabled or with service caching enabled as previously described:
Otherwise:
For V4.0.3 through 4.0.4:
Upgrade to V4.0.5, or later, available from Recommended
Fixes for WebSphere Application Server and then follow the
instructions previously described, for the new upgraded level.
Back to top
For IBM WebSphere Application Server for z/OS platforms:
For V6.1.0.2 through 6.1.0.4:
- Apply APAR PK36741 (PK32374), for Cumulative Fix Pack 5
(V6.1.0.5), or later.
- 6.1.0.5 PTFs are UK20982, UK21009, UK21015, UK21016,
UK21017, and UK21027.
For V6.0.2.13 through 6.0.2.16:
- Apply APAR PK35633 (PK32374), for Cumulative Fix Pack 17
(V6.0.2.17), or later.
- 6.0.2.17 PTFs are UK20459, UK20460, and UK20461.
For V5.1 prior to W510236:
- Apply APAR PK27728 (PTF UK16713) for service level
W510236, or later.
For V5.0 prior to W502042:
- Apply APAR PK27727 (PTF UK17760) for service level
W502042, or later.
Back to top
For IBM WebSphere Application Server for iSeries, i5/OS, and OS/400
platforms:
For V6.1 through 6.1.0.1:
- Apply APAR PK23475
Or
- Apply the current WebSphere Application Server group PTF
and install the fix pack according to the group PTF instructions.
For V6.0.2.5 to 6.0.2.11:
- Apply APAR PK23475
Or
- Apply the current WebSphere Application Server group PTF
and install the fix pack according to the group PTF instructions.
For V6.0.2.3:
If servlet caching is enabled as previously described:
- Apply APAR PK32374
Or
- Apply the current WebSphere Application Server group PTF
and install the fix pack according to the group PTF instructions.
Otherwise:
- Apply APAR PK23475
Or
- Apply the current WebSphere Application Server group PTF
and install the fix pack according to the group PTF instructions.
For V6.0.2 through 6.0.2.1:
If serving files from an Extended Document Root without servlet caching
enabled as previously described:
- Apply APAR PK23475
Or
- Apply the current WebSphere Application Server group PTF
and install the fix pack according to the group PTF instructions.
Otherwise:
- Apply either APAR PK23475
or APAR PK22928
Or
- Apply the current WebSphere Application Server group PTF
and install the fix pack according to the group PTF instructions.
For V6.0.0.2 through 6.0.1.2:
If serving files from an Extended Document Root without servlet caching
enabled as previously described:
- Apply APAR PK23475
Or
- Apply the current WebSphere Application Server group PTF
and install the fix pack according to the group PTF instructions.
Otherwise:
- Apply either APAR PK23475
or APAR PK22928
Or
- Apply the current WebSphere Application Server group PTF
and install the fix pack according to the group PTF instructions.
For V6.0.0.1:
If serving files from an Extended Document Root without servlet caching
enabled as previously described:
- Apply APAR PK23475
Or
- Apply the current WebSphere Application Server group PTF
and install the fix pack according to the group PTF instructions.
Otherwise:
- Apply either APAR PK23475
or APAR PK22928
Or
- Apply the current WebSphere Application Server group PTF
and install the fix pack according to the group PTF instructions.
For V5.0 and V5.1:
- Apply the current WebSphere Application Server group
PTF.
Back to top
August 2007 |
Changed "For V5.0.2.10 to 5.0.2.18:
Apply APAR PK23475" to "For V5.0.2.18:
Apply APAR PK43894. For V5.0.2.10 to 5.0.2.17: Apply APAR PK23475". (Added
APAR PK43894 for release 5.0.2.18 only.)
Added 'change history' table. |
March 2007 |
Changed "5.0.2 to 5.0.2.2" to "V5.0.2.2 to 5.0.2.4" and
added "For V5.0.2 to 5.0.2.1: If serving files from an extended document
root without servlet cashing enables or with service caching enavled as
previously described: Apply APAR PK23475 Otherwise: Apply either APAR
PK23475 or APAR PQ91033". |
August 2006 |
Created and published JSP Security Exposure Flash for
WebSphere Application Server. |
|
|
|
|
|
Cross Reference information |
Segment |
Product |
Component |
Platform |
Version |
Edition |
Application Servers |
WebSphere Application Server - Express |
General |
AIX, HP-UX, Linux, Solaris, Windows |
6.0, 5.1, 5.0 |
All Editions |
Application Servers |
WebSphere Application Server Enterprise |
General |
AIX, HP-UX, Linux, Solaris, Windows |
5.1, 5.0, 4.0 |
All Editions |
Application Servers |
WebSphere Application Server for z/OS |
Servlet Engine/Web Container |
OS/390, z/OS |
6.0.1, 5.1, 5.0 |
All Editions |
Application Servers |
Runtimes for Java Technology |
Java SDK |
|
|
|
|
|
|