Vulnerability

    WebLogic

Affected

    BEA WebLogic 5.1.0 SP 6, and probably earlier versions

Description

    Sverre H. Huseby found following.   The reported problem seems  to
    have been fixed in recent versions, without Sverre talking to BEA.
    This  may  indicate  that  other  people have reported the problem
    before him.  It may also mean that the problem is related to other
    URL parsing errors in WebLogic, such as the one reported  recently
    by Peter Grundl.

    BEA WebLogic may be tricked into revealing the source code of  JSP
    scripts by using simple URL encoding of characters in the filename
    extension.   It seems  that the  built in  web server  in WebLogic
    does  URL  decoding  in  an  unreasonable  order.   URLs  like the
    following:

        http://XXX/index.js%70

    where  %70  is  an  URL  encoded  'p',  returns the source code of
    index.jsp rather than running the script on the server side.

    To speculate (read: guess): The JSP handler is skipped as this URL
    does  not  end  in  ".jsp",   but  the  static  file  handler   is
    nevertheless able to map the URL into a correct file name.

    This design error  makes it possible  to fetch the  source code of
    JSP scripts.  Such source code may contain database passwords  and
    file names, and may reveal design errors or programming bugs  that
    make it possible to further exploit the server or service.

Solution

    The problem seems to be gone in 5.1.0 SP 8.