Bugtraq mailing list archives
Re: IBM AS/400 HTTP Server '/' attack
From: "Felix Huber" <huberfelix () webtopia de>
Date: Thu, 8 Nov 2001 22:30:09 +0100
Hi, you can detect such a server very easily: ---------------------------------------- GET /index.html HTTP/1.0 HTTP/1.0 200 OK Server: IBM-HTTP-Server/1.0 .... Content-Type: text/html ---------------------------------------- ---------------------------------------- GET /index.html/ HTTP/1.0 HTTP/1.0 200 OK Server: IBM-HTTP-Server/1.0 .... Content-Type: www/unknown <------- here ---------------------------------------- A NASL Script is attached... Regards, Felix Huber ------------------------------------------------------- Felix Huber, Security Consultant, Webtopia Guendlinger Str.2, 79241 Ihringen - Germany huberfelix () webtopia de (07668) 951 156 (phone) http://www.webtopia.de (07668) 951 157 (fax) (01792) 205 724 (mobile) -------------------------------------------------------
IBM's HTTP Server on the AS/400 platform is vulnerable to an attack that will show the source code of the page -- such as an .html or .jsp page -- by attaching an '/' to the end of a URL. Compare these two URL's: http://www.foo.com/getsource.jsp http://www.foo.com/getsource.jsp/ The later URL will deliver the jsp source to the browser. I reported this problem to IBM approximately 9 or 10 months ago.
Attachment:
ibm_server_code.nasl
Description:
Current thread:
- IBM AS/400 HTTP Server '/' attack 'ken'@FTU (Nov 08)
- Re: IBM AS/400 HTTP Server '/' attack Felix Huber (Nov 08)
- Re: IBM AS/400 HTTP Server '/' attack Joe Laffey (Nov 08)
- <Possible follow-ups>
- RE: IBM AS/400 HTTP Server '/' attack Chris Best (Nov 08)
- Re: IBM AS/400 HTTP Server '/' attack Thomas Reinke (Nov 21)
- Re: IBM AS/400 HTTP Server '/' attack Thor (Nov 08)
- Re: IBM AS/400 HTTP Server '/' attack Mike Turk (Nov 13)