https://www.exploit-db.com/exploits/25420
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-728

IBMWebSphereApplicationServer6.0及更早版本，在共享web服务器的文档root时，远程攻击者可以通过带有无效主机标题的HTTP请求，导致web服务器而非JSP引擎来处理该页面，从而获取JavaServerPages(.jsp)的源代码。

source: http://www.securityfocus.com/bid/13160/info

A remote JSP source disclosure vulnerability reportedly affects the IBM WebSphere Application Server. This issue is due to a failure of the application to properly handle various requests under certain circumstances.

It should be noted that this issue only arises when the Web serve and application server root directories reside in the same location; this is not the default configuration.

An attacker may leverage this issue to disclose JSP source code, facilitating code theft as well as potential further attacks. 

GET /index.jsp HTTP/1.0
Host: NonExistentHost

来源:XF
名称:ibm-websphere-information-disclosure(20099)
链接:http://xforce.iss.net/xforce/xfdb/20099
来源:SECTRACK
名称:1013697
链接:http://securitytracker.com/id?1013697
来源:SECUNIA
名称:14962
链接:http://secunia.com/advisories/14962
来源:BUGTRAQ
名称:20050413IBMWebSphereWidespreadconfigurationJSPdisclosure
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111342594129109&w;=2
来源:BID
名称:13160
链接:http://www.securityfocus.com/bid/13160
来源:OSVDB
名称:15501
链接:http://www.osvdb.org/15501