November 9, 2001

IBM AS/400 HTTP Server '/' attack

Author: JT Smith

"IBM's HTTP Server on the AS/400 platform is vulnerable to an attack that will show the source code of the page -- such as an .html or .jsp page -- by attaching an '/' to the end of a URL. I was told it was a bug but not a security vulnerability. When I explained that Microsoft had a similar bug (asp dot bug) they told me that "they did not share the same source code base." I replied to this ludicrous reply: "Isn't it possible that since you developed servers that function in a similar manner you have the same logical bug?" To this they were speechless." Help Net Security


  • Linux
Click Here!