| VID |
22344 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The WebSphere Application Server is vulnerable to a JSP source code disclosure vulnerability via the non-existing hostname. IBM WebSphere Application Server versions 6.0 and earlier could allow a remote attacker to view the source code of various JavaServer Pages (JSP) scripts. The problem is caused due to an error in the request handling in certain configurations where the document root of the web server equals to the document root of the application server. This can be exploited to disclose the source code of JSP scripts by sending a specially-crafted request with a non-existing hostname in the "Host" HTTP header.
* References:
http://secunia.com/advisories/14962/
* Platforms Affected:
IBM WebSphere Application Server versions 6.0 and earlier
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of April 2005.
Download and install the patch, when a patch fixed this problem becomes available from the IBM WebSphere Application Server Web page at http://www-306.ibm.com/software/webservers/appserv/was/ |
| Related URL |
CVE-2005-1112 (CVE) |
| Related URL |
13160 (SecurityFocus) |
| Related URL |
20099 (ISS) |
|
