Bugtraq mailing list archives

IBM AS/400 HTTP Server '/' attack

From: "'ken'@FTU" <franklin_tech_bulletins () yahoo com>
Date: Thu, 08 Nov 2001 09:41:33 -0500

  IBM's HTTP Server on the AS/400 platform is vulnerable to an attack
that will show the source code of the page -- such as an .html or .jsp
page -- by attaching an '/' to the end of a URL.

Compare these two URL's:

http://www.foo.com/getsource.jsp

http://www.foo.com/getsource.jsp/

The later URL will deliver the jsp source to the browser.

I reported this problem to IBM approximately 9 or 10 months ago.

I was told it was a bug but not a security vulnerability. When I
explained that Microsoft had a similar bug (asp dot bug) they told me
that "they did not share the same source code base." I replied to this
ludicrous reply: "Isn't it possible that since you developed servers
that function in a similar manner you have the same logical bug?" To

this they were speechless. I imagine that a .jsp page could contain usernames and passwords if they are accessing databases, especially if thesedatabases are on the network.


By the way, the IBM HTTP server was derived from an early version of
Apache. I have not seen Apache servers vulnerable to this bug.

Since I reported this "non-security" bug so long ago I hope it is fixed
through the regular set of changes. I cannot confirm this bug was fixed.
As far as I know this vulnerability was not yet reported to the public.

'ken'

Current thread:

IBM AS/400 HTTP Server '/' attack 'ken'@FTU (Nov 08)
- Re: IBM AS/400 HTTP Server '/' attack Felix Huber (Nov 08)
- Re: IBM AS/400 HTTP Server '/' attack Joe Laffey (Nov 08)
- <Possible follow-ups>
- RE: IBM AS/400 HTTP Server '/' attack Chris Best (Nov 08)
  - Re: IBM AS/400 HTTP Server '/' attack Thomas Reinke (Nov 21)
- Re: IBM AS/400 HTTP Server '/' attack Thor (Nov 08)
- Re: IBM AS/400 HTTP Server '/' attack Mike Turk (Nov 13)