|
Family: CGI abuses --> Category: infos
IBM WebSphere Application Server JSP Source Disclosure Vulnerability Scan
Vulnerability Scan Summary Attempts to read the source of a jsp page
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server is affected by an information disclosure flaw.
Description :
It is possible to make the remote web server disclose the source code
of its JSP pages by requesting the pages with a non-existing hostname
in the HTTP 'Host' header request when WebSphere Application is
sharing the document root of the web server. A possible hacker may use this
flaw to get the source code of your CGIs and possibly to obtain
passwords and other relevant information about this host.
See also :
http://marc.theaimsgroup.com/?l=bugtraq&m=111342594129109&w=2
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/rtrb_jspsource.html
Solution :
Move JSP source files outside the web server document root.
Threat Level:
Low / CVSS Base Score : 3
(AV:R/AC:H/Au:NR/C:P/A:N/I:N/B:C)
Click HERE for more information and discussions on this network vulnerability scan.
|