OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: mhalls (mhallsNIELSEN.NET)
Date: Thu Jan 25 2001 - 17:13:33 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Summary: When IBM WebSphere application server shares the same document
    root as Netscape Enterprise server it is possible for a malicious user to
    view to view the source of any JSP file in the document root.

    WebSphere's plugin for Netscape Enterprise server uses the host header
    sent from the client browser to determine if it should intercept a request
    by matching the host header against its list of "host aliases" configured
    in WebSphere. By changing the host header to a value that WebSphere
    doesn't expect bypasses the plugin allowing the JSP file to be delivered
    as a regular file by Netscape Enterprise server.

    Exploit: Configure your hosts file to point a random name to the IP
    address of the server and then point your browser to
    http://randomhostname/somejspfile.jsp. If the randomhostname is not in
    WebSphere's list of hosts aliases it will be served as a regular
    file.

    Solution: Change to document root of WebSphere to point to a different
    location than the Netscape Enterprise Server document root and move all
    JSP files to the new location. Maybe others?