IBM WebSphere Application Server Welcome Page Security Bypass

2005-08-11T09:47:32
ID OSVDB:25368
Type osvdb
Reporter OSVDB
Modified 2005-08-11T09:47:32

Description

Vulnerability Description

WebSphere Application Server contains a flaw that may lead to unauthorized access. The issue is triggered when a context is secured using a '/*' directive. Direct access to a context's index page using its file name is covered by an authentication process, whereas a request to the directory itself is not covered. This will disclose the index page without authenticatoin, resulting in a loss of confidentiality.

Solution Description

Upgrade to version 6.0.2.3 or higher, as it has been reported to fix this vulnerability. In addition, IBM has released a patch (Fix Pack 3) for some older versions.

Short Description

WebSphere Application Server contains a flaw that may lead to unauthorized access. The issue is triggered when a context is secured using a '/*' directive. Direct access to a context's index page using its file name is covered by an authentication process, whereas a request to the directory itself is not covered. This will disclose the index page without authenticatoin, resulting in a loss of confidentiality.

References:

Vendor Specific Advisory URL Secunia Advisory ID:20025 Keyword: 4010245,PK10057 FrSIRT Advisory: ADV-2006-1724 CVE-2006-2342 Bugtraq ID: 17900