[ SOURCE: http://www.secureroot.com/security/advisories/9737052245.html ] Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory IBM WebSphere default servlet handler showcode vulnerability ---------------------------------------------------------------------- FS Advisory ID: FS-072400-6-IBM Release Date: July 24, 2000 Product: IBM WebSphere Application Server 3.0.2 Vendor: IBM http://www-4.ibm.com/software/webservers/ appserv/ Vendor Advisory: none issued so far. Type: Unparsed pages: Show code vulnerability Author: Shreeraj Shah (shreeraj.shah@foundstone.com) Saumil Shah (saumil.shah@foundstone.com) Operating Systems: All operating systems ---------------------------------------------------------------------- Description A show code vulnerability exists with IBM's Websphere allowing an attacker to view the source code of any file within the web document root of the web server. Details IBM WebSphere uses Java Servlets to handle parsing of various types of pages (for example, HTML, JSP, JHTML, etc). In addition to different servlets for handling different kinds of pages, WebSphere also has a default servlet which is called upon if a requested file does not have a registered handler. It is possible to force the default servlet to be invoked if the file path in the URL is prefixed with "/servlet/file/", which causes pages to be displayed without being parsed or compiled. Vulnerable versions All versions of IBM WebSphere 3.0.2 Verification of the vulnerability It is easy to verify this vulnerability for a given system. Prefixing the path to web pages with "/servlet/file/" in the URL causes the file to be displayed without being parsed or compiled. For example if the URL for a file "login.jsp" is: http://site.running.websphere/login.jsp then accessing http://site.running.websphere/servlet/file/login.jsp would cause the unparsed contents of the file to show up in the web browser. Solution Workaround: Remove the InvokerServlet from the webapplication Fix: APAR PQ39857 will be available soon at the site: http://www-4.ibm.com/software/webservers/appserv/efix.html Credits We would like to thank IBM for their prompt and serious reaction to this problem. Disclaimer THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT (C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.