[19896] in bugtraq
Re: def-2001-14: Bea Weblogic Directory Browsing (re-release)
daemon@ATHENA.MIT.EDU (Adam Boileau)
Wed Mar 28 03:25:14 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.30.0103281212580.4396-100000@eye.storm.net.nz>
Date: Wed, 28 Mar 2001 12:31:35 +1200
Reply-To: Adam Boileau <adam.boileau@STORM.NET.NZ>
From: Adam Boileau <adam.boileau@STORM.NET.NZ>
X-To: =?iso-8859-1?Q?Peter_Gr=FCndl?= <peter.grundl@DEFCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <065601c0b696$0b640db0$71002d0a@dk.defcomsec.com>
> ------------------------=[Affected Systems]=--------------------------
> - Bea Weblogic Server 6.0 for Windows NT/2000
> - It appears that versions prior to 6.0 might also be vulnerable!
>
They are indeed - I turned directory listing back on and was able to
reproduce the originally described effect in 4.5.1 and 5.1.
>
> It should be noted that this will not fix the issue with revealing jsp
> sourcecode that Adam Boileau reported to Bugtraq in response to the
> original posting of this advisory!
To expand somewhat, after some further work:
Appending a '%00' to the end of a .jsp request retrieves the source of the
jsp.
I have reproduced this on WL 4.5.1 SP11 and SP13 in both cluster and
standalone configurations. I have also reproduced it with 5.1 SP6 and SP3,
all in a Solaris environment.
The negative result that I initially got with SP11 turned out to be quite
interesting - it occurs only when passed through libproxy.so 4.5.1 SP7.
Testing directly against the weblogic server, the %00 trick works. When
proxied (in my case, through Netscape Enterprise Server) via
solaris/libproxy.so 4.5.1 SP8, SP9, SP11, SP11(with fix), and SP13, it
also works. When proxied through 4.5.1 SP7, it does not. I dont have any
versions earlier than SP7 to try - results would be interesting if anyone
does.
This gives people in my position a workaround until BEA come up with a fix
- running an old version of libproxy.so.
I've done no testing of WLS on NT - you're on your own.
I have notified BEA (they released an advisory in response to the Defcom
Labs directory listing vuln today, but nothing about my little
observation) today, shorter notice than RFP would like[1], but given that
the cat is already out of the bag, I figured it was better to let people know
as soon as possible.
Regards,
Adam
-------------
Adam Boileau
Security Consultant
Auckland, New Zealand
[1] But then again, he wears gold lame[2] pants, so who are we to take him
seriously ;)
[2] That's "lah-may" not "lame" :)
