Just checked our OS/390 machine. It's running 'VSE-HTTPD/01.04.00' and is also vulnerable. Cute bug. :) -----Original Message----- From: Joe Laffey [mailto:joe@laffeycomputer.com] Sent: Thursday, November 08, 2001 12:45 PM To: 'ken'@FTU Cc: bugtraq Subject: Re: IBM AS/400 HTTP Server '/' attack On Thu, 8 Nov 2001, 'ken'@FTU wrote: > IBM's HTTP Server on the AS/400 platform is vulnerable to an attack > that will show the source code of the page -- such as an .html or .jsp > page -- by attaching an '/' to the end of a URL. > >[snip] > > http://www.foo.com/getsource.jsp/ [snip] > > Since I reported this "non-security" bug so long ago I hope it is fixed > through the regular set of changes. I cannot confirm this bug was fixed. > As far as I know this vulnerability was not yet reported to the public. I can confirm that a server reporting 'IBM-HTTP-Server/1.0' _IS_ vulrable to this. I do not know if updates increment that number or not... -- Joe Laffey | Want to convert subnet masks between different LAFFEY Computer Imaging | notations, or figure the number of IPs in a block? St. Louis, MO | Whatmask-It's FREE - www.laffeycomputer.com/wm.html ---------------------------------------------------------------------------- --
