TUCoPS :: Web :: Servers :: wlogic1.txt

Weblogic server unauthorized files access

COMMAND

    WebLogic

SYSTEMS AFFECTED

    BEA WebLogic Enterprise 5.1.x, WebLogic Server and Express 4.5.x, 5.1.x

PROBLEM

    Following is based on Foundstone Security Advisory by Saumil  Shah
    and Shreeraj Shah.  Two show code vulnerabilities exist with BEA's
    WebLogic 5.1.0 allowing an attacker to view the source code of any
    file within the web document root of the web server.  Depending on
    web application  and directory  structure attacker  can access and
    view unauthorized files.

    1. Viewing unparsed pages by forcibly invoking SSIServlet
    =========================================================
    Server  Side  Includes  pages  are  processed by the SSIServlet in
    WebLogic.   It is  registered in  the weblogic.properties  file as
    follows:

        weblogic.httpd.register.*.shtml=weblogic.servlet.ServerSideIncludeServlet

    It turns  out that  the wild  card (*)  registration can itself be
    used as a handler to invoke the SSIServlet via a URL.

    Thus, if the file path in the URL is prefixed with /*.shtml/,  one
    can  force  that  file  to  be  processed  by SSIServlet.  If used
    against other file types such as .jsp and .jhtml, unparsed jsp and
    jhtml code can be viewed.

    2. Viewing unparsed pages by forcibly invoking FileServlet
    ==========================================================
    WebLogic comes pre-configured  with the ConsoleHelp  servlet being
    registered  to  invoke  FileServlet,  as  can  be  seen  from  the
    following lines in the weblogic.properties file:

        # For Console help. Do not modify.
        weblogic.httpd.register.ConsoleHelp=weblogic.servlet.FileServlet
        weblogic.httpd.initArgs.ConsoleHelp=\defaultFilename=/weblogic/admin/help/NoContent.html
        weblogic.allow.execute.weblogic.servlet.ConsoleHelp=everyone

    Thus, if the file path in the URL is prefixed with  /ConsoleHelp/,
    it causes WebLogic to invoke FileServlet, which causes pages to be
    displayed without being parsed or compiled.

    Proof of concept?

    1. Using *.shtml:
       Prefixing the  path to  web pages  with "/*.shtml/"  in the URL
       causes  the  file  to  be  displayed  since  it is processed by
       SSIServlet.  For example if the URL for a file "login.jsp" is:

        http://site.running.weblogic/login.jsp

       then accessing

        http://site.running.weblogic/*.shtml/login.jsp

       would served by  SSIServlet and jsp/jhtml  code can be  seen in
       the web browser.

    2. Using ConsoleHelp:
       Prefixing the path to web pages with "/ConsoleHelp/" in the URL
       causes  the  file  to  be  displayed  without  being  parsed or
       compiled.  For example if the URL for a file "login.jsp" is:

        http://site.running.weblogic/login.jsp

       then accessing

        http://site.running.weblogic/ConsoleHelp/login.jsp

       would cause  the unparsed  contents of  the file  to show up in
       the web browser.

SOLUTION

    Please  refer  to  BEA  security  advisory  BEA00-03.00.  From the
    vendor (as appears in BEA00-03.00):

   (1) Apply the "Show Code" vulnerability patch available from BEA
       Technical Support.  This patch is available for:

        - The J-Engine in BEA WebLogic Enterprise 5.1.x
        - BEA WebLogic Server and Express 5.1.x
        - BEA WebLogic Server and Express 4.5.x

       Contact BEA Technical Support at support@bea.com for patch.

   (2) Once    the   patch    has    been    applied,   review     the
       weblogic.propertiesfile and ensure  that the following  changes
       have been made:

        weblogic.httpd.register.file=weblogic.servlet.FileServlet
        weblogic.httpd.initArgs.file=defaultFilename=index.html
        weblogic.httpd.defaultServlet=file

       should be changed to:

        weblogic.httpd.register.*.html=weblogic.servlet.FileServlet
        weblogic.httpd.initArgs.*.html=defaultFilename=index.html
        weblogic.httpd.defaultServlet=*.html

    Future  Service  Packs  for  BEA  WebLogic Server and Express will
    also contain the patch to address this vulnerability.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH