Fix (APAR): PK36447 Status: Fix Release: 6.0.2.17,6.0.2.15 Operating System: AIX,HP-UX,Linux,Solaris,Windows Supersedes Fixes: PRE-REQUISITE FIXES: EXCLUSIVE-REQUISITE FIXES: CMVC Defect: PK36447 Byte size of APAR: 64080 Date: 2007-04-16 Abstract: It is possible for a servlet to access files in an application's WEB-INF or META-INF directory. Description/symptom of problem: PK36447 resolves the following problem: ERROR DESCRIPTION: In WebSphere 6.0.2.13 and 6.0.2.15 there is possible source code exposure. From the browser the web.xml and manifest file can been seen. LOCAL FIX: PROBLEM SUMMARY USERS AFFECTED: WebSphere Application Server version 6 users with servlets which attempt to access the WEB-INF or META-INF directory. PROBLEM DESCRIPTION: It is possible for a servlet to access files in an application's WEB-INF or META-INF directory. RECOMMENDATION: None Servlet access to files in the WEB-INF is allowable, but undesirable to some customers. Servlet Access to files in the META-INF directory should be forbidden. It is not possible to access such files directly using a url. PK24615 was included in 6.0.2.13 and 6.1.0.3 to fix a problem related to accessing files which included the strings "META-INF" and "WEB-INF". As a result of this change servlet access to files in the application's META-INF or WEB-INF directory was enabled. PROBLEM CONCLUSION: A new custom property is introduced: 'exposewebinfondispatch' If this set to 'true' a servlet can access files in the WEB-INF directory. If this is set to 'false' (defailt) a servlet cannot access files the WEB-INF directory (default). Servlet access to the META-INF directory has been blocked. The fix for this APAR is currently targeted for inclusion in fixpacks 6.0.2.19 and 6.1.0.7. Please refer to the recommended updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Directions to apply fix: Fix applies to Editions: Release: 6.0 6.1 X__ ___ Application Server (Express or Base) X__ ___ Network Deployment (ND) ___ ___ WebSphere Business Integration Server Foundation (WBISF) ___ ___ Edge Components ___ ___ Developer ___ ___ Extended Deployment (XD) Install Fix To: Method: X_ Application Server Nodes __ Deployment Manager Nodes __ Both NOTE: The user must: * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * Be Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V6.0.2.2 or later of the Update Installer. This can be checked by reviewing the level of the Update Installer in file /updateInstaller/version.txt The update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=180&uid=swg24008401 For detailed instructions on how to extract the Update Installer see the following Technote: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27006162 1) Copy PK36447.pak file directly to the maintenance directory. 2) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that maintenance is being applied to. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 3) Launch the Update Installer. 4) Enter the installation location of the WebSphere product you want to update. 5) Select the "Install maintenance package" operation. 6) Enter the file name of the maintenance package to install (PK36447.pak file which was copied into the maintenance directory). 7) Install the maintenance package. 8) Restart WebSphere. Directions to remove fix: NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. * YOU MAY REAPPLY ANY REMOVED FIX. Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that uninstall is being run against. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 2) Launch the Update Installer. 3) Enter the installation location of the WebSphere product you want to remove the fix. 4) Select the "Uninstall maintenance package" operation. 5) Enter the file name of the maintenance package to uninstall (PK36447.pak). 6) Uninstall the maintenance package. 7) Restart WebSphere. Directions to re-apply fix: 1) Shutdown WebSphere. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 2) Follow the instructions to apply the fix. 3) Restart WebSphere. Additional Information: