T 3.68 Inadequate or incorrect configuration of the z/OS web server

Accepting the default settings or an incorrect configuration of the z/OS web server can cause security problems.

When using the default settings (httpd.conf file) and incorrectly set userid rules, the web server's MVSDS function may be used under certain circumstances to display files that should normally not be available to the user, such as system files.
Administration errors can result in z/OS web server processes running with the started task ID. If this ID has high-level rights in the system (e.g. super user), security problems may result. File access and commands are then made and run using the authorisation of this ID. As a consequence, it is possible under certain circumstances to access files with customer data or, as described above, system files using the MVS dataset display function.
The z/OS web server supports encrypted data communication using the SSL log. When the parameters have been configured incorrectly, there is a risk that the encryption will be deactivated or that the processes will be run using a different RACF ID.

Other threats are listed in module S 5.4 Web server.

The use of standard definitions of a z/OS web server enabled an external attacker to view sensitive files. In addition, the web server was configured such that the service ran with high-level rights using its own started task ID. As a result, it was possible for an external attacker to display the SYS1.PROCLIB and SYS1.PARMLIB files. From these files, the attacker was able to draw information that made it easier to attack the entire z/OS system.