InfoCenter Home > 4.2.1.2.3b: Security risk example of invoking servlets by class nameAnyone enabling the "serve files by class name" function in WebSphere Application Server, should take steps to avoid potential security risks. The administrator should remain aware of each and every servlet class placed in the classpath of an application, even if the servlets are to be invoked by their classnames.
The malicious tags that can be embedded in this way are <SCRIPT> and </SCRIPT>. This problem can be prevented if the server generated pages are encoded to prevent the scripts from executing. Developers generating responses containing client data, based on servlet or JSP requests, can encode the response data using the following method: com.ibm.websphere.servlet.response.ResponseUtils.encodeDataString(String)Visit the Cert advisories Web site for more information. Protecting servletsSee the article, Securing Applications, for information on securing servlets and Web resources.
|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|