IBM WebSphere/WebLogic application source file exposure
Description
IBM WebSphere Application Server and WebLogic contain a security vulnerability that allows unauthorized remote attackers to access application source files that should be protected. This vulnerability enables attackers to retrieve sensitive files from within WAR (Web Application Archive) deployments, including contents of the WEB-INF and META-INF directories which typically contain configuration files, Java classes, and other protected resources. The vulnerability affects web-based applications, web services, and the WebSphere administrative console when administrative security is disabled. Affected versions include IBM WebSphere Application Server 5.1, 6.0, 6.1, and 7.0.
Remediation
Take the following steps to remediate this vulnerability:
1. Apply Security Patches:
Install IBM's PK81387 security fix for your specific WebSphere Application Server version. Download the appropriate fix pack from IBM Support (reference: http://www-01.ibm.com/support/docview.wss?uid=swg24022456).
2. Upgrade WebSphere:
If possible, upgrade to WebSphere Application Server version 7.0.0.1 or later, which includes the security fix.
3. Enable Administrative Security:
Ensure administrative security is enabled on the WebSphere administrative console to prevent unauthorized access.
4. Verify Protection:
After applying patches, verify that WEB-INF and META-INF directories are not accessible by attempting to access them directly through a web browser (e.g., http://yourserver/application/WEB-INF/web.xml). These requests should return 403 Forbidden or 404 Not Found errors.
5. Review Web Server Configuration:
Ensure your web server or reverse proxy is configured to block direct access to sensitive directories and file extensions (.class, .xml, .properties files in protected directories).