IBM Support

PK10057; 6.0.2: A possible security issue with web application's welcome pages

Download


Abstract

Welcome pages are not secured by having /* as a URL pattern in security constraint, if accessed by directly giving the context-root.

Download Description

PK10057 resolves the following problem:

ERROR DESCRIPTION:
WebSphere Application Server version 6.0.2 web application welcome pages not secured.

The welcome pages are secured by having URL pattern /* in the web application security constraint.

If welcome page(home page) is accessed by hitting.
Example: 'http://ServerHost/webapp_context/homepage.jsp' authentication window appears. The welcome page is secured.

However if welcome page is accessed by hitting just context root Example: 'http://ServerHost/webapp_context/' welcome page is displayed bypassing security authentication.In this case welcome page is insecure.

PROBLEM SUMMARY:

USERS AFFECTED:
WebSphere Application Server version 6.0 users who try to access the welcome page of their application by giving the default context root in the browser.

PROBLEM DESCRIPTION:
There is a possible security issue with web application's welcome pages.

RECOMMENDATION:
The welcome pages are secured by having URL pattern /* in the web application security constraint.

If the welcome page(home page) is accessed by hitting
Example: 'http://ServerHost/webapp_context/homepage.jsp' the authentication window appears. The welcome page is secured.

However if the welcome page is accessed by hitting just the context root Example: 'http://ServerHost/webapp_context/' the welcome page is displayed bypassing security authentication. In this case the welcome page is not secure.

PROBLEM CONCLUSION:
This problem was solved by making changes in the webcontainer component.

The fix for this APAR is currently targeted for inclusion in fixpack version 6.0.2.3.

Please refer to the recommended updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"Multi-Platform","code":""},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"1874","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK10057/readme.txt"}]
Off
[{"DNLabel":"6.0.2-WS-WAS-MultiOS-IFPK10057.pak","DNDate":"8/11/2005","DNLang":"US English","DNSize":"27070","DNPlat":{"label":"Multi-Platform","code":""},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK10057/6.0.2-WS-WAS-MultiOS-IFPK10057.pak","DNURL_FTP":null,"DDURL":null}]

Technical Support

1-800-IBM-SERV (U.S. Only)

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.0.2","Edition":"Base","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Java SDK","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24010245