Vulnerabilities > CVE-2005-1112 - Unspecified vulnerability in IBM Websphere Application Server

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
ibm
nessus
exploit available
NVD
Published: 2005-05-02
Updated: 2017-07-11

Summary

IBM WebSphere Application Server 6.0 and earlier, when sharing the document root of the web server, allows remote attackers to obtain the source code for Java Server Pages (.jsp) via an HTTP request with an invalid Host header, which causes the page to be processed by the web server instead of the JSP engine.

Vulnerable Configurations

Part Description Count
Application
Ibm
20

Exploit-Db

descriptionIBM WebSphere 5.0/5.1/6.0 Application Server Web Server Root JSP Source Code Disclosure Vulnerability. CVE-2005-1112. Remote exploits for multiple platform
idEDB-ID:25420
last seen2016-02-03
modified2005-04-13
published2005-04-13
reporterSPI Labs
sourcehttps://www.exploit-db.com/download/25420/
titleIBM WebSphere 5.0/5.1/6.0 Application Server Web Server Root JSP Source Code Disclosure Vulnerability

Nessus

NASL familyCGI abuses
NASL idWEBSPHERE_JSP_SOURCE.NASL
descriptionIt is possible to make the remote web server disclose the source code of its JSP pages by requesting the pages with a nonexistent hostname in the HTTP
last seen2020-06-01
modified2020-06-02
plugin id18047
published2005-04-14
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18047
titleIBM WebSphere Application Server Malformed Host Header JSP Source Disclosure
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(18047);
 script_version("1.23");
 script_cvs_date("Date: 2018/11/15 20:50:19");

 script_cve_id("CVE-2005-1112");
 script_bugtraq_id(13160);
 
 script_name(english:"IBM WebSphere Application Server Malformed Host Header JSP Source Disclosure");
 script_summary(english:"Attempts to read the source of a jsp page");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by an information disclosure flaw.");
 script_set_attribute(attribute:"description", value:
"It is possible to make the remote web server disclose the source code
of its JSP pages by requesting the pages with a nonexistent hostname
in the HTTP 'Host' header request when WebSphere Application is
sharing the document root of the web server.  An attacker may use this
flaw to get the source code of your CGIs and possibly to obtain
passwords and other relevant information about this host.");
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=111342594129109&w=2");
 script_set_attribute(attribute:"solution", value:
"Move JSP source files outside the web server document root.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/13");
 script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/14");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server");
 script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();
 
 script_category(ACT_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");

 script_dependencie("find_service1.nasl", "http_version.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

# Check starts here

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

global_var port;

function check(file, hostname)
{
 local_var res,w ;

 w = http_send_recv3(method:"GET", item: file, version: 11, host: hostname, port: port);
 if (isnull(w)) exit(0);
 res = w[2];
 if("<%" >< res) return(1);
 return 0;
}

port = get_http_port(default:80);

 files = get_kb_list(string("www/", port, "/content/extensions/jsp"));
 if(isnull(files))files = make_list("/index.jsp");
 n = 0;
 foreach file (files)
  {
  if(check(file:file, hostname:get_host_name()) == 0)
   {
   if(check(file:file, hostname:"sjfklsjfkldfjklsdfjdlksjfdsljk.foo."))
   { 
    if (report_verbosity)
    {
     req = str_replace(find:'\n', replace:'\n  ', string: http_last_sent_request());
     report = string(
      "\n",
      "Nessus was able to exploit the issue using the following\n",
      "request :\n",
      "\n",
      "  ", req, "\n"
     );
     if (report_verbosity > 1)
     {
      res = str_replace(find:'\n', replace:'\n  ', string:res);
      report = string(
       report,
       "\n",
       "Here is the JSP source received :\n",
       "\n",
       res
      );
     }
     security_note(port:port, extra:report);
    }
    else security_note(port);

    exit(0);
   }
  }
  n ++;
  if(n > 20)exit(0);
 }

References