roller-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Faith <>
Subject security issue
Date Thu, 08 Sep 2011 22:31:33 GMT

I'm using roller version 4.0.1 on tomcat 5.5.30 to run the blog on a small
ecommerce site. We have been security scanned for PCI (credit card)
accreditation, and this exposed the following issue. I'm not sure what the
problem is here, or what the fix might be. Would upgrading to roller 5.0
help (I've been putting this off!)

Any help would be gratefully received.




we will need an explanation for the 200 OK.

GET /news/index.jsp HTTP/1.0
Host: n0nex1st

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Tue, 06 Sep 2011 10:37:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 139127
Date: Wed, 07 Sep 2011 19:21:43 GMT
Connection: close

vulnerability report:





Description: WebSphere JSP source disclosure in web document root
62-233-100-162.easydservers.com62.233.100 .162Linux 2.6.18 Sep 05 20:45:46
2011newSeverity: Area of Concern CVE:
 5.01423new11Impact: Multiple vulnerabilities could allow a malicious user
to crash the server, or obtain unauthorized access, or obtain sensitive
information. Background: IBM WebSphere is e-business infrastructure
software. One component of the WebSphere product line, WebSphere Application
Server (WAS) is a Java-based environment for building e-business
applications. Resolution WebSphere Application Server 7.0.x should be
upgraded to or higher. WebSphere Application Server 6.1.x should be
upgraded to version or higher. WebSphere Application Server 6.0.x
should be [
upgraded to version or higher. WebSphere Application Server 5.1.x
should be [
upgraded to a version higher than WebSphere Application Server 5.0
through should be upgraded to version Install
PQ62144 (supersedes PQ62249) for WebSphere 4.0.3 to remove the buffer
overflow vulnerability, and move JSP files outside the document root of the
web server. Install [
PQ81278 for WebSphere 5.0 through to remove the XML Attribute
Parsing Denial of Service vulnerability. Vulnerability Details: Service:
https Sent: GET  /news/index.jsp HTTP/1.0 Host: n0nex1st Received:
?u=<%= <> request.getRequestURL()

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message