| VID |
22422 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The WebSphere Application Server is vulnerable to a JSP source code disclosure vulnerability via the request with a '%20' appended. IBM WebSphere Application Server versions prior to 6.1.0.2 could allow a remote attacker to view the source code of various JavaServer Pages (JSP) scripts by requesting the .jsp file with a '%20' appended to the request. A remote attacker could send a specially-crafted URL to WebSphere to cause the requested JSP file's source code to be disclosed, which would allow the attacker to obtain sensitive information.
* References:
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24013142
http://www.frsirt.com/english/advisories/2006/4000
http://secunia.com/advisories/22372
* Platforms Affected:
IBM WebSphere Application Server versions prior to 6.1.0.2
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of IBM WebSphere Application Server (6.1.0 Fix Pack 2 or later), available from the IBM Support Web site at http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24013142 |
| Related URL |
CVE-2006-5323 (CVE) |
| Related URL |
20455 (SecurityFocus) |
| Related URL |
29641 (ISS) |
|
