OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: IBM WebSphere default servlet handler showcode vulnerability
From: labsFOUNDSTONE.COM
Date: Sun Jul 23 2000 - 20:03:53 CDT


                             Foundstone, Inc.
                        http://www.foundstone.com
                      "Securing the Dot Com World"

                           Security Advisory

     IBM WebSphere default servlet handler showcode vulnerability

----------------------------------------------------------------------
FS Advisory ID: FS-072400-6-IBM

Release Date: July 24, 2000

Product: IBM WebSphere Application Server 3.0.2

Vendor: IBM http://www-4.ibm.com/software/webservers/
                             appserv/

Vendor Advisory: none issued so far.

Type: Unparsed pages: Show code vulnerability

Author: Shreeraj Shah (shreeraj.shahfoundstone.com)
                        Saumil Shah (saumil.shahfoundstone.com)

Operating Systems: All operating systems
----------------------------------------------------------------------

Description

        A show code vulnerability exists with IBM's Websphere allowing
        an attacker to view the source code of any file within the web
        document root of the web server.

Details

        IBM WebSphere uses Java Servlets to handle parsing of various
        types of pages (for example, HTML, JSP, JHTML, etc). In
        addition to different servlets for handling different kinds of
        pages, WebSphere also has a default servlet which is called
        upon if a requested file does not have a registered handler.

        It is possible to force the default servlet to be invoked if
        the file path in the URL is prefixed with "/servlet/file/",
        which causes pages to be displayed without being parsed or
        compiled.

Vulnerable versions

        All versions of IBM WebSphere 3.0.2

Verification of the vulnerability

        It is easy to verify this vulnerability for a given system.
        Prefixing the path to web pages with "/servlet/file/" in the
        URL causes the file to be displayed without being parsed or
        compiled. For example if the URL for a file "login.jsp" is:

        http://site.running.websphere/login.jsp

        then accessing

        http://site.running.websphere/servlet/file/login.jsp

        would cause the unparsed contents of the file to show up in
        the web browser.

Solution

        Workaround:
        Remove the InvokerServlet from the webapplication

        Fix:
        APAR PQ39857 will be available soon at the site:
        http://www-4.ibm.com/software/webservers/appserv/efix.html

Credits

        We would like to thank IBM for their prompt and serious
        reaction to this problem.

Disclaimer

        THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT
        (C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT
        THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS
        GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.
        NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY
        WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR
        DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED
        ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE
        REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE
        ADVISORY IS NOT MODIFIED IN ANY WAY.