[19845] in bugtraq
def-2001-14: Bea Weblogic Unicode Directory Browsing
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Peter_Gr=FCndl?=)
Mon Mar 26 13:00:57 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <028a01c0b5c6$db053ec0$71002d0a@dk.defcomsec.com>
Date: Mon, 26 Mar 2001 09:27:09 +0200
Reply-To: =?iso-8859-1?Q?Peter_Gr=FCndl?= <peter.grundl@DEFCOM.COM>
From: =?iso-8859-1?Q?Peter_Gr=FCndl?= <peter.grundl@DEFCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
======================================================================
Defcom Labs Advisory def-2001-14
Bea Weblogic Unicode Directory Browsing
Author: Peter Gründl <peter.grundl@defcom.com>
Release Date: 2001-03-26
======================================================================
------------------------=[Brief Description]=-------------------------
The Bea Weblogic server contains a flaw that allows directory browsing
even if the directories contain default documents.
------------------------=[Affected Systems]=--------------------------
- Bea Weblogic Server 6.0 for Windows NT/2000
----------------------=[Detailed Description]=------------------------
By requesting a URL and ending it with one of the following unicode
representations: %00, %2e, %2f or %5c, it is possible to bypass the
listing of the default document (eg. index.html) and browse the
content of the web folders.
Examples:
http://www.foo.org/%00/
http://www.foo.org/images/%2e/
http://www.foo.org/passwords/%2f/
http://www.foo.org/creditcard/%5c/
The four unicode representations translate to "null", ".", "/" and "\"
---------------------------=[Workaround]=-----------------------------
Download and install Weblogic 6.0 with Service Pack 1:
http://commerce.bea.com/downloads/weblogic_server.jsp#wls
-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 22nd of
February, 2001 and a workaround was received on the 6th of March 2001.
======================================================================
This release was brought to you by Defcom Labs
labs@defcom.com www.defcom.com
======================================================================
