[19868] in bugtraq
def-2001-14: Bea Weblogic Directory Browsing (re-release)
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Peter_Gr=FCndl?=)
Tue Mar 27 11:29:37 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <065601c0b696$0b640db0$71002d0a@dk.defcomsec.com>
Date: Tue, 27 Mar 2001 10:15:11 +0200
Reply-To: =?iso-8859-1?Q?Peter_Gr=FCndl?= <peter.grundl@DEFCOM.COM>
From: =?iso-8859-1?Q?Peter_Gr=FCndl?= <peter.grundl@DEFCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
======================================================================
Defcom Labs Advisory def-2001-14
Bea Weblogic Directory Browsing
Author: Peter Gründl <peter.grundl@defcom.com>
Release Date: 2001-03-26
Re-release Date: 2001-03-27
======================================================================
------------------------=[Re-Release Reason]=-------------------------
Due to a poorly chosen name for the vulnerability this advisory has
been re-released (I was getting A LOT of mails from people explaining
the difference between unicode and ascii to me ;)
Also some more information about the bug has surfaced.
------------------------=[Brief Description]=-------------------------
The Bea Weblogic server contains a flaw that allows directory browsing
even if the directories contain default documents.
------------------------=[Affected Systems]=--------------------------
- Bea Weblogic Server 6.0 for Windows NT/2000
- It appears that versions prior to 6.0 might also be vulnerable!
----------------------=[Detailed Description]=------------------------
By requesting a URL and ending it with one of the following ascii
representations: %00, %2e, %2f or %5c, it is possible to bypass the
listing of the default document (eg. index.html) and browse the
content of the web folders.
Examples:
http://www.foo.org/%00/
http://www.foo.org/images/%2e/
http://www.foo.org/passwords/%2f/
http://www.foo.org/creditcard/%5c/
The four unicode representations translate to "null", ".", "/" and "\"
---------------------------=[Workaround]=-----------------------------
Workaround:
In the WLS console set the "index directory" from "enabled" to
"disabled".
It should be noted that this will not fix the issue with revealing jsp
sourcecode that Adam Boileau reported to Bugtraq in response to the
original posting of this advisory!
Download and install Weblogic 6.0 with Service Pack 1:
http://commerce.bea.com/downloads/weblogic_server.jsp#wls
For some people installing V6.0Sp1 might not be an option. Those
people are adviced to contact Bea Systems Support for assistance with
this issue.
-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 22nd of
February, 2001 and a workaround was received on the 6th of March 2001.
======================================================================
This release was brought to you by Defcom Labs
labs@defcom.com www.defcom.com
======================================================================
