PK32374; 6.1.0.3: JSP source code may be exposed when file serving is enabled

Download

Abstract

The webcontainer incorrectly handles some requests for a Java™ Server Page (JSP) and, as a result, incorrectly displays the source code.

Download Description

PK32374 resolves the following problem:

ERROR DESCRIPTION:
The source code of a JSP is displayed for specific requests when servlet caching and file serving are
enabled.

LOCAL FIX:

PROBLEM SUMMARY

USERS AFFECTED:
IBM® WebSphere® Application Server version 6.0 users who use servlet caching and file serving.

PROBLEM DESCRIPTION:
The webcontainer incorrectly handles some requests for a JSP and, as a result, displays the source code.

RECOMMENDATION:
None

If a web application is enabled for file serving (fileServingEnabled="true" in the ibm-web-ext.xmi file),
servlet caching is enabled, and the application includes a JSP, it is possible for a request to be made
to access the JSP which will result in the source code of the associated .jsp file being displayed.

Details of the type of requests which will result in such an exposure are not described in order to reduce the exposure.

PROBLEM CONCLUSION:
The webcontainer has been corrected to return an error code (403 or 404) when such requests are made.

The fix for this APAR is currently targeted for inclusion in Fix Pack 6.0.2.17 and 6.1.0.5.

Refer to the recommended updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"5029","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK32374/readme.txt"}]

Off

          [{"DNLabel":"6.1.0.2-6.1.0.3-WS-WAS-IFPK32374","DNDate":"11/20/2006","DNLang":"US English","DNSize":"16375","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK32374/6.1.0.2-WS-WAS-IFPK32374.pak","DNURL_FTP":null,"DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK32374/6.1.0.2-WS-WAS-IFPK32374.pak"},{"DNLabel":"6.0.2.13-6.0.2.15-WS-WAS-IFPK32374","DNDate":"11/20/2006","DNLang":"US English","DNSize":"14948","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK32374/6.0.2.13-WS-WAS-IFPK32374.pak","DNURL_FTP":null,"DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK32374/6.0.2.13-WS-WAS-IFPK32374.pak"},{"DNLabel":"6.0.2.3-WS-WAS-IFPK32374","DNDate":"3/6/2007","DNLang":"US English","DNSize":"37498","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK32374/6.0.2.3-WS-WAS-IFPK32374.pak","DNURL_FTP":null,"DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK32374/6.0.2.3-WS-WAS-IFPK32374.pak"}]
          

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Servlet Engine\/Web Container","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1.0.3;6.1.0.2;6.0.2.3;6.0.2.13;6.0.2.11","Edition":"Base;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Java SDK","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Problems (APARS) fixed
PK32374

Was this topic helpful?

Document Information

Modified date:
15 June 2018

UID

swg24015155

Tips