[19941] in bugtraq
BEA WebLogic may reveal script source code by URL trickery
daemon@ATHENA.MIT.EDU (Sverre H. Huseby)
Fri Mar 30 04:55:10 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Message-ID: <20010329130412.G24394@thathost.com>
Date: Thu, 29 Mar 2001 13:04:12 +0200
Reply-To: "Sverre H. Huseby" <shh@THATHOST.COM>
From: "Sverre H. Huseby" <shh@THATHOST.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Meta comment
------------
The reported problem seems to have been fixed in recent versions,
without me talking to BEA. This may indicate that other people have
reported the problem before me (I was unable to find it on
Securityfocus' vulnerability database.) It may also mean that the
problem is related to other URL parsing errors in WebLogic, such as
the one reported recently by Peter Gründl (which inspired me to go
hunting for other bugs, resulting in this advisory).
In either case, I do not want to steal the credit from anyone.
======================================================================
BEA WebLogic may reveal script source code by URL trickery
----------------------------------------------------------
Sverre H. Huseby advisory 2001-03-28
Systems affected
----------------
WebLogic 5.1.0 SP 6, and probably earlier versions. The problem seems
to be gone in 5.1.0 SP 8.
Description
-----------
BEA WebLogic may be tricked into revealing the source code of JSP
scripts by using simple URL encoding of characters in the filename
extension.
Details
-------
It seems that the built in web server in WebLogic does URL decoding in
an unreasonable order. URLs like the following
http://XXX/index.js%70
where %70 is an URL encoded 'p', returns the source code of index.jsp
rather than running the script on the server side.
To speculate (read: guess): The JSP handler is skipped as this URL
does not end in ".jsp", but the static file handler is nevertheless
able to map the URL into a correct file name.
Impact
------
This design error makes it possible to fetch the source code of JSP
scripts. Such source code may contain database passwords and file
names, and may reveal design errors or programming bugs that make it
possible to further exploit the server or service.
Reported by Sverre H. Huseby, shh@thathost.com
--
<URL:mailto:shh@thathost.com>
<URL:http://shh.thathost.com/>
