COMMAND

	Bea Weblogic incorrect URL parsing issues

SYSTEMS AFFECTED

	Tested on :
	

	 Bea Weblogic V6.1 Service Pack 2 on Windows 2000 Server

PROBLEM

	In Peter Gründl of KPMG Danemark advisory [BUG-ID: 2002016] :
	

	The  Bea  Weblogic  server  incorrectly  parses  certain  types  of  URL
	requests. This can result in the physical path being revealed, a  Denial
	of Service situation and revealing of .jsp sourcecode.
	

	 Physical webroot)

	

	By appending %00.jsp to a normal .html request, a compiler  error  would
	in some cases be  generated  that  would  print  out  the  path  to  the
	physical web root. A similar result can be achieved  by  prefixing  with
	%5c (backslash):
	

	 Denial of Service)

	

	This issue is very similar to  the  one  reported  in  KPMG-2002003,  in
	which we published that requesting a DOS device and  appending  .jsp  to
	the request would exhaust the working threads and cause the web  service
	to stop parsing HTTP and HTTPS requests.
	

	If a malicious user also added %00 in the request, it would still work.
	

	The server can handle about 10-11 working threads, so when  this  number
	of active threads has been reached, the server will  no  longer  service
	any requests. Since both HTTP and HTTPS are handled by the same  module,
	both are crippled if one is attacked.
	

	 Sourcecode revealed)

	

	There are a number of ways to manipulate the URL  in  a  way  that  will
	allow a malicious user to read the contents of a .jsp file. One  way  is
	to append \"%00x\" to the request, another could be  to  add  \"+.\"  to
	the request (exclamation marks excluded).

SOLUTION

	Get patch from :
	

	http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?

	highlight=advisoriesnotifications&path=components/dev2dev/

	resourcelibrary/advisoriesnotifications/

	securityadvisoriesbea020303.htm