Fix (APAR): PQ76082 Status: Fix Release: 4.0.5 Operating System: All Supersedes Fixes: CMVC Defect: PQ76082 Byte size of APAR: 1069534 Date: 2003-09-03 Abstract: A maliciously formatted http request for a JSP resource can cause the application server to serve the raw JSP source content to the browser. Description/symptom of problem: IBM has identified a potential security exposure in IBM WebSphere Application Server where a maliciously formatted http request for a JSP resource can cause the application server to serve the raw JSP source content to the browser. Only the web application with file serving enabled are affected by this problem. Directions to apply fix: 1) Create temporary "fix" directory to store the jar file: AIX: /tmp/WebSphere/fix Solaris/Linux: /tmp/WebSphere/fix Windows: c:\temp\WebSphere\fix 2) Copy jar file to the directory 3) Shutdown WebSphere 4)Create a /Fix directory if one does not already exist 5) Run the jar file with the following command answering questions/prompts as they appear: java -jar -backupJar /Fix/_backup.jar 6) Restart WebSphere 7) The temp directory may be removed but the jar file should be saved. Do not remove any files created and stored in the /Fix directory. These files are required if a fix is to be removed. Directions to remove fix: NOTE: FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. YOU MAY REAPPLY ANY REMOVED FIX. Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Change directory to the fix location (/Fix). 2) Shutdown WebSphere 3) Run the backup jar file with the following command: java -jar 4) Restart WebSphere Directions to re-apply fix: Follow the instructions for applying a fix. If the backup files still exist (from the previous fix application), you will be prompted to overwrite. Answer "yes" at the overwrite prompts. Additional Information: