|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Joe Laffey (joe
laffeycomputer.com)Date: Thu Nov 08 2001 - 12:45:20 CST
On Thu, 8 Nov 2001, 'ken'FTU wrote:
> IBM's HTTP Server on the AS/400 platform is vulnerable to an attack
> that will show the source code of the page -- such as an .html or .jsp
> page -- by attaching an '/' to the end of a URL.
>
>[snip]
>
> http://www.foo.com/getsource.jsp/
[snip]
>
> Since I reported this "non-security" bug so long ago I hope it is fixed
> through the regular set of changes. I cannot confirm this bug was fixed.
> As far as I know this vulnerability was not yet reported to the public.
I can confirm that a server reporting 'IBM-HTTP-Server/1.0' _IS_ vulrable
to this. I do not know if updates increment that number or not...
-- Joe Laffey | Want to convert subnet masks between different LAFFEY Computer Imaging | notations, or figure the number of IPs in a block? St. Louis, MO | Whatmask-It's FREE - www.laffeycomputer.com/wm.html ------------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]