Re: Odd server side scripts source disclosure vulnerability

From: Hugo Fortier (hugo.fortier@gmail.com)
Date: Fri Aug 20 2004 - 16:25:02 EDT


I meant that the Virtual Host is correctly configured, but the default
Document Root does't handle the JSP so it handle out JSP without been
processed by websphere. The Document Root should probably not point to
the physical location where the JSP reside, because it should be
served by Websphere and in fact the Apache server does't even need the
permision to read the file... This is probably a common configuration
mistake done by miscomprehention on the Integration on those 2
products.

I got no experience with IBM HTTP Server and Websphere, so I don't
fully understand their integration, but I do have experience with
Websphere and some other webserver product.

Hugo Fortier
On Fri, 20 Aug 2004 16:13:02 -0400, Hugo Fortier <hugo.fortier@gmail.com> wrote:
> I beleive your bug is probably related to Virtual Host... The target
> site is probably having a Virtual Host define where the handler for
> the JSP are't correctly configured...

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:00 EDT