vendor:
WebSphere Application Server
by:
SecurityFocus
7.5
CVSS
HIGH
Source Disclosure
200
CWE
Product Name: WebSphere Application Server
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: Yes
Related CWE: N/A
CPE: a:ibm:websphere_application_server
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2002
IBM WebSphere Application Server Source Disclosure Vulnerability
Certain versions of the IBM WebSphere application server ship with a vulnerability which allows malicious users to view the source of any document which resides in the web document root directory. This is possible via a flaw which allows a default servlet (different servlets are used to parse different types of content, JHTML, HTMl, JSP, etc.) This default servlet will display the document/page without parsing/compiling it hence allowing the code to be viewed by the end user. It is easy to verify this vulnerability for a given system. Prefixing the path to web pages with "/servlet/file/" in the URL causes the file to be displayed without being parsed or compiled.
Mitigation:
Ensure that the WebSphere application server is updated to the latest version.
