[19918] in bugtraq
Re: def-2001-14: Bea Weblogic Directory Browsing (re-release)
daemon@ATHENA.MIT.EDU (Adam Boileau)
Wed Mar 28 21:40:46 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.30.0103281941260.7411-100000@eye.storm.net.nz>
Date: Wed, 28 Mar 2001 20:45:52 +1200
Reply-To: Adam Boileau <adam.boileau@STORM.NET.NZ>
From: Adam Boileau <adam.boileau@STORM.NET.NZ>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.30.0103281212580.4396-100000@eye.storm.net.nz>
On Wed, 28 Mar 2001, Adam Boileau wrote:
> Testing directly against the weblogic server, the %00 trick works. When
> proxied (in my case, through Netscape Enterprise Server) via
> solaris/libproxy.so 4.5.1 SP8, SP9, SP11, SP11(with fix), and SP13, it
> also works. When proxied through 4.5.1 SP7, it does not. I dont have any
> versions earlier than SP7 to try - results would be interesting if anyone
> does.
>
> This gives people in my position a workaround until BEA come up with a fix
> - running an old version of libproxy.so.
>
(replying to myself to preempt the many emails Im going to get once that
makes it through Aleph1's moderation queue)
Of course, about 10 mins after I posted that, I remember why we were
running the later libproxy - there's a buffer overflow in 4.5.1 pre SP11
libproxy.so.
Bah. Take your pick I guess. Intelligent use of Netscape's obj.conf
mappings to minimize what files hostile parties can see the source of
seems the best plan.
Regards,
Adam
-------------
Adam Boileau
Security Consultant
Auckland, New Zealand
