Fix (APAR): PK23475 Status: Fix Release: 6.1.0.1 Operating System: AIX,HP-UX,Linux,Solaris,Windows Supersedes Fixes: PRE-REQUISITE FIXES: EXCLUSIVE-REQUISITE FIXES: CMVC Defect: PK23475 Byte size of APAR: 1286531 Date: 2006-10-23 Abstract: fileServingEnabled set to true for an ExtendedDocumentRoot directory leaves possibility of JSP source code exposure. Description/symptom of problem: PK23475 resolves the following problem: ERROR DESCRIPTION: Source code exposed when JSP placed outside WAR file for WAS 5.1.1.9 with PK20181. The problem happens when the customer maintains the jsp file outside of the WAR file using IBM extension features called ExtendedDocumentRoot with file serving enabled (as defined in the ibm-web-ext.xmi file in the WAR module). LOCAL FIX: In the interim, the customer should be able to designate separate directories or jars for JSP and fileServing extended document roots values which would resolve this. PROBLEM SUMMARY USERS AFFECTED: Customers who provide JSPs for access from an ExtendedDocumentRoot directory based on file serving (fileServingEnabled set to true). PROBLEM DESCRIPTION: fileServingEnabled set to true for an ExtendedDocumentRoot directory leaves possibility of JSP source code exposure. RECOMMENDATION: None If an extendedDocumentRoot directory is defined, fileSevingEnabled is set to true, and a JSP is stored in the ExtendedDocumentRoot directory, there is a risk that the source code of the JSP will be exposed, for example, when access to the JSP is requested from a browser based on a particular format of request and which makes use of the file serving enablement. This is potentially a security issue. The problem does not exist if fileServingEnabled is false or if an extendedDocumentRoot directory is not used. PROBLEM CONCLUSION: The code has been updated to prevent access to jsp source code from an extendedDocumentRoot directory when fileServingEnabled is set to true. The same level of checking is now performed whether a JSP is accessed from either a subdirectory of the application war directory or an extendedDocumentRoot directory with fileServingEnabled set to true. The fix for this APAR is currently targeted for inclusion in cumulative fix 5.1.1.12 and fixpacks 6.0.2.13 and 6.1.0.2. Please refer to the recommended updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Directions to apply fix: Fix applies to Editions: Release: 6.0 6.1 ___ X__ Application Server (Express or Base) ___ X__ Network Deployment (ND) ___ ___ WebSphere Business Integration Server Foundation (WBISF) ___ ___ Edge Components ___ ___ Developer ___ ___ Extended Deployment (XD) Install Fix To: Method: X_ Application Server Nodes __ Deployment Manager Nodes __ Both NOTE: The user must: * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * Be Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V6.1.0.0 or later of the Update Installer. This can be checked by reviewing the level of the Update Installer in file /updateInstaller/version.txt The update Installer can be downloaded from the following link: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24012718 For detailed instructions on how to extract the Update Installer see the following Technote: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27006162 1) Copy 6.1.0-WS-WAS-IFPK23475.pak file directly to the maintenance directory. 2) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that maintenance is being applied to. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 3) Launch the Update Installer. 4) Enter the installation location of the WebSphere product you want to update. 5) Select the "Install maintenance package" operation. 6) Enter the file name of the maintenance package to install (PK23475.pak file which was copied into the maintenance directory). 7) Install the maintenance package. 8) Restart WebSphere. Directions to remove fix: NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. * YOU MAY REAPPLY ANY REMOVED FIX. Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that uninstall is being run against. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 2) Launch the Update Installer. 3) Enter the installation location of the WebSphere product you want to remove the fix. 4) Select the "Uninstall maintenance package" operation. 5) Enter the file name of the maintenance package to uninstall (PK23475.pak). 6) Uninstall the maintenance package. 7) Restart WebSphere. Directions to re-apply fix: 1) Shutdown WebSphere. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 2) Follow the instructions to apply the fix. 3) Restart WebSphere. Additional Information: The supplied iFix applies more generally to jsp source code exposres than the description implies.