IBM WebSphere源代码暴露漏洞
更新时间:2006年10月13日 00:00:00 作者:
bugtraq id 1500
class Access Validation Error
cve GENERIC-MAP-NOMATCH
remote Yes
local Yes
published July 24, 2000
updated July 24, 2000
vulnerable IBM Websphere Application Server 3.0.21
- Sun Solaris 8.0
- Microsoft Windows NT 4.0
- Linux kernel 2.3.x
- IBM AIX 4.3
IBM Websphere Application Server 3.0
- Sun Solaris 8.0
- Novell Netware 5.0
- Microsoft Windows NT 4.0
- Linux kernel 2.3.x
- IBM AIX 4.3
IBM Websphere Application Server 2.0
- Sun Solaris 8.0
- Novell Netware 5.0
- Microsoft Windows NT 4.0
- Linux kernel 2.3.x
- IBM AIX 4.3
Certain versions of the IBM WebSphere application server ship with a vulnerability which allows malicious users to view the source of any document which resides in the web document root directory.
This is possible via a flaw which allows a default servlet (different servlets are used to parse different types of content, JHTML, HTMl, JSP, etc.) This default servlet will display the document/page without parsing/compiling it hence allowing the code to be viewed by the end user.
The Foundstone, Inc. advisory which covered this problem detailed the following method of verifying the vulnerability - full text of this advisory is available in the 'Credit' section of this entry:
"It is easy to verify this vulnerability for a given system. Prefixing the path to web pages with "/servlet/file/" in the URL causes the file to be displayed without being
parsed or compiled. For example if the URL for a file "login.jsp" is:
http://site.running.websphere/login.jsp
then accessing
http://site.running.websphere/servlet/file/login.jsp
would cause the unparsed contents of the file to show up in the web browser."
class Access Validation Error
cve GENERIC-MAP-NOMATCH
remote Yes
local Yes
published July 24, 2000
updated July 24, 2000
vulnerable IBM Websphere Application Server 3.0.21
- Sun Solaris 8.0
- Microsoft Windows NT 4.0
- Linux kernel 2.3.x
- IBM AIX 4.3
IBM Websphere Application Server 3.0
- Sun Solaris 8.0
- Novell Netware 5.0
- Microsoft Windows NT 4.0
- Linux kernel 2.3.x
- IBM AIX 4.3
IBM Websphere Application Server 2.0
- Sun Solaris 8.0
- Novell Netware 5.0
- Microsoft Windows NT 4.0
- Linux kernel 2.3.x
- IBM AIX 4.3
Certain versions of the IBM WebSphere application server ship with a vulnerability which allows malicious users to view the source of any document which resides in the web document root directory.
This is possible via a flaw which allows a default servlet (different servlets are used to parse different types of content, JHTML, HTMl, JSP, etc.) This default servlet will display the document/page without parsing/compiling it hence allowing the code to be viewed by the end user.
The Foundstone, Inc. advisory which covered this problem detailed the following method of verifying the vulnerability - full text of this advisory is available in the 'Credit' section of this entry:
"It is easy to verify this vulnerability for a given system. Prefixing the path to web pages with "/servlet/file/" in the URL causes the file to be displayed without being
parsed or compiled. For example if the URL for a file "login.jsp" is:
http://site.running.websphere/login.jsp
then accessing
http://site.running.websphere/servlet/file/login.jsp
would cause the unparsed contents of the file to show up in the web browser."
相关文章
JBuilder2005单元测试体验之测试配置...2006-10-10
jsp项目中更改tomcat的默认index.jsp访问路径的方法
如何更改tomcat的默认index.jsp访问路径,jsp的工程下有一个叫做WEB-INF文件夹下的web.xml打开它,按照下面的方法即可修改2013-11-11
最近在使用EL表达式的时候发现它不被解析,而是直接以字符串的形式显示了出来,经过查阅资料和实践,终于得知了原因并找到了解决方案2012-07-07
下面小编就为大家分享一篇jsp 使用request为页面添加静态数据的实例,具有很好的参考价值,希望对大家有所帮助。一起跟随小编过来看看吧2017-12-12
十二、脚本元素、指令和预定义变量...2006-10-10
下面小编就为大家带来一篇jsp中为表格添加水平滚动条的方法。小编觉得挺不错的,现在就分享给大家,也给大家做个参考。一起跟随小编过来看看吧2016-09-09
这篇文章主要介绍了springMVC解决ajax请求乱码的三种方法的相关资料,在springmvc的项目中,使用返回页面的请求方式,数据都能正常显示,但是对于ajax的请求,始终显示乱码,这里提供解决办法,需要的朋友可以参考下2017-07-07
jsp页面中EL表达式被当成字符串处理不显示值问题的解决方法
下面小编就为大家带来一篇jsp页面中EL表达式被当成字符串处理不显示值问题的解决方法。小编觉得挺不错的,现在就分享给大家,也给大家做个参考。一起跟随小编过来看看吧2016-09-09
JSP迅速入门...2006-10-10
这篇文章主要介绍了秒杀系统Web层设计的实现方法的相关资料,希望通过本文能帮助到大家,让大家掌握这样的设计方式,需要的朋友可以参考下2017-10-10
最新评论