[15421] in bugtraq
BEA WebLogic /file/ showcode vulnerability
daemon@ATHENA.MIT.EDU (stuart.mcclure@FOUNDSTONE.COM)
Wed Jun 21 15:29:08 2000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01BFDB4B.08156950"
Message-ID: <2153DBA073F0D311911100B0D01A826F05BA13@mail.foundstone.com>
Date: Wed, 21 Jun 2000 02:36:25 -0400
Reply-To: stuart.mcclure@FOUNDSTONE.COM
From: stuart.mcclure@FOUNDSTONE.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BFDB4B.08156950
Content-Type: text/plain;
charset="ISO-8859-1"
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
BEA's WebLogic
----------------------------------------------------------------------
FS Advisory ID: FS-062100-3-BEA
Release Date: June 21, 2000
Product: WebLogic
Vendor: BEA Systems (http://www.beasys.com)
Vendor Advisory: Contact vendor.
Type: Unparsed pages: Show code vulnerability
Severity: Low to Medium (depending on JSP/JHTML coding
practices)
Author: Saumil Shah (saumil.shah@foundstone.com)
Shreeraj Shah (shreeraj.shah@foundstone.com)
Stuart McClure (stuart.mcclure@foundstone.com)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: All operating systems
Vulnerable versions: BEA WebLogic Server and Express 5.1.x
BEA WebLogic Server and Express 4.5.x
BEA WebLogic Server and Express 4.0.x
BEA WebLogic Server and Express 3.1.8
Note: No currently available versions of BEA
WebLogic Enterprise are affected.
Foundstone Advisory: http://www.foundstone.com
----------------------------------------------------------------------
Description
A show code vulnerability exists with BEA's WebLogic 5.1.0
allowing an attacker to view the source code of any file
within the web document root of the web server.
Details
WebLogic relies on four main Java Servlets to serve different
kinds of files. These servlets are:
FileServlet - for plain HTML pages
SSIServlet - for Server Side Includes pages
PageCompileServlet - for JHTML pages
JSPServlet - for Java Server Pages
Looking at the weblogic.properties file, here is how each of
these servlets are registered:
weblogic.httpd.register.file=weblogic.servlet.FileServlet
weblogic.httpd.register.*.shtml=
weblogic.servlet.ServerSideIncludeServlet
weblogic.httpd.register.*.jhtml=
weblogic.servlet.jhtmlc.PageCompileServlet
weblogic.httpd.register.*.jsp=
weblogic.servlet.JSPServlet
Further along the weblogic.properties file, there is a
default servlet which is called upon if a requested file
does not have a registered handler. The lines below show
how the default servlet is registered.
# Default servlet registration
# ------------------------------------------------
# Virtual name of the default servlet if no matching servlet
# is found weblogic.httpd.defaultServlet=file
Thus, if the file path in the URL is prefixed with "/file/",
it causes WebLogic to invoke the default servlet, which
causes pages to be displayed without being parsed or
compiled.
Proof of concept
It is easy to verify this vulnerability for a given system.
Prefixing the path to web pages with "/file/" in the URL
causes the file to be displayed without being parsed or
compiled. For example if the URL for a file "login.jsp" is:
http://site.running.weblogic/login.jsp
then accessing
http://site.running.weblogic/file/login.jsp
would cause the unparsed contents of the file to show up in
the web browser.
Solution
Workaround
(The vendor recommends)
Do not use the example configuration for the FileServlet in
production situations. It is possible to view the source of
a JSP/JHTML file in a browser if you do. For more information
on the file servlet, see "Setting up the File Servlet" in the
online documentation at:
http://www.weblogic.com/docs51/admindocs/http.html#file
The example registrations look like this:
weblogic.httpd.register.file=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.file=defaultFilename=index.html
weblogic.httpd.defaultServlet=file
There are two ways to avoid this:
* Register the file servlet with a name that uses a random
string that will be difficult to guess. For example, the
following registrations will register the file servlet as
12foo34:
weblogic.httpd.register.12foo34=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.12foo34=defaultFilename=index.html
weblogic.httpd.defaultServlet=12foo34
* Register the file servlet using wild cards representing all
of the file extensions you will be serving. For example, the
following registrations register the file servlet to serve
.html files:
weblogic.httpd.register.*.html=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.*.html=defaultFilename=index.html
weblogic.httpd.defaultServlet=*.html
Repeat the above registrations for all the file types you will
be serving, for example, *.gif, *.jpg, *.pdf, *.txt, etc.
Note: This information is documented in the BEA WebLogic
Server and Express documentation at:
http://www.weblogic.com/docs51/admindocs/lockdown.html
Fix
Contact the vendor.
Credits
We would also like to thank BEA Systems for their prompt and
serious reaction to this problem.
------_=_NextPart_001_01BFDB4B.08156950
Content-Type: text/html;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DISO-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>BEA WebLogic /file/ showcode vulnerability</TITLE>
</HEAD>
<BODY>
<P><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Foundstone, Inc.</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; <A HREF=3D"http://www.foundstone.com" =
TARGET=3D"_blank">http://www.foundstone.com</A></FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; =
"Securing the Dot Com =
World" &=
nbsp; </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Security Advisory</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; BEA's WebLogic</FONT>
</P>
<P><FONT =
SIZE=3D2>---------------------------------------------------------------=
-------</FONT>
<BR><FONT SIZE=3D2>FS Advisory =
ID: =
FS-062100-3-BEA</FONT>
</P>
<P><FONT SIZE=3D2>Release =
Date: June =
21, 2000</FONT>
</P>
<P><FONT =
SIZE=3D2>Product: &=
nbsp; WebLogic</FONT>
</P>
<P><FONT =
SIZE=3D2>Vendor: &n=
bsp; BEA Systems (<A =
HREF=3D"http://www.beasys.com" =
TARGET=3D"_blank">http://www.beasys.com</A>)</FONT>
</P>
<P><FONT SIZE=3D2>Vendor =
Advisory: Contact =
vendor.</FONT>
</P>
<P><FONT =
SIZE=3D2>Type: &nbs=
p; Unparsed pages: Show =
code vulnerability</FONT>
</P>
<P><FONT =
SIZE=3D2>Severity: =
Low to Medium (depending on JSP/JHTML =
coding </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; practices)</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; </FONT>
<BR><FONT =
SIZE=3D2>Author: &n=
bsp; Saumil Shah =
(saumil.shah@foundstone.com)</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Shreeraj Shah (shreeraj.shah@foundstone.com)</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Stuart McClure (stuart.mcclure@foundstone.com)</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Foundstone, Inc. (<A HREF=3D"http://www.foundstone.com" =
TARGET=3D"_blank">http://www.foundstone.com</A>)</FONT>
</P>
<P><FONT SIZE=3D2>Operating Systems: All =
operating systems</FONT>
</P>
<P><FONT SIZE=3D2>Vulnerable versions: BEA WebLogic =
Server and Express 5.1.x</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; BEA WebLogic Server and Express 4.5.x</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; BEA WebLogic Server and Express 4.0.x</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; BEA WebLogic Server and Express 3.1.8</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; Note: No currently available versions of BEA </FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; WebLogic Enterprise are affected.</FONT>
</P>
<P><FONT SIZE=3D2>Foundstone Advisory: <A =
HREF=3D"http://www.foundstone.com" =
TARGET=3D"_blank">http://www.foundstone.com</A></FONT>
<BR><FONT =
SIZE=3D2>---------------------------------------------------------------=
-------</FONT>
</P>
<P><FONT SIZE=3D2>Description</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> A show =
code vulnerability exists with BEA's WebLogic 5.1.0 </FONT>
<BR><FONT SIZE=3D2> allowing =
an attacker to view the source code of any file </FONT>
<BR><FONT SIZE=3D2> within =
the web document root of the web server.</FONT>
</P>
<P><FONT SIZE=3D2>Details</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> WebLogic =
relies on four main Java Servlets to serve different </FONT>
<BR><FONT SIZE=3D2> kinds of =
files. These servlets are:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> =
FileServlet - for plain HTML pages</FONT>
<BR><FONT SIZE=3D2> =
SSIServlet - for Server Side Includes pages</FONT>
<BR><FONT SIZE=3D2> =
PageCompileServlet - for JHTML pages</FONT>
<BR><FONT SIZE=3D2> =
JSPServlet - for Java Server Pages</FONT>
</P>
<P><FONT SIZE=3D2> Looking at =
the weblogic.properties file, here is how each of </FONT>
<BR><FONT SIZE=3D2> these =
servlets are registered: </FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> =
weblogic.httpd.register.file=3Dweblogic.servlet.FileServlet</FONT>
<BR><FONT SIZE=3D2> =
weblogic.httpd.register.*.shtml=3D</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; =
weblogic.servlet.ServerSideIncludeServlet</FONT>
<BR><FONT SIZE=3D2> =
weblogic.httpd.register.*.jhtml=3D</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; =
weblogic.servlet.jhtmlc.PageCompileServlet</FONT>
<BR><FONT SIZE=3D2> =
weblogic.httpd.register.*.jsp=3D</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; weblogic.servlet.JSPServlet</FONT>
</P>
<P><FONT SIZE=3D2> Further =
along the weblogic.properties file, there is a </FONT>
<BR><FONT SIZE=3D2> default =
servlet which is called upon if a requested file </FONT>
<BR><FONT SIZE=3D2> does not =
have a registered handler. The lines below show </FONT>
<BR><FONT SIZE=3D2> how the =
default servlet is registered.</FONT>
</P>
<P><FONT SIZE=3D2> # Default =
servlet registration</FONT>
<BR><FONT SIZE=3D2> # =
------------------------------------------------</FONT>
<BR><FONT SIZE=3D2> # Virtual =
name of the default servlet if no matching servlet </FONT>
<BR><FONT SIZE=3D2> # is =
found weblogic.httpd.defaultServlet=3Dfile</FONT>
</P>
<P><FONT SIZE=3D2> Thus, if =
the file path in the URL is prefixed with "/file/",</FONT>
<BR><FONT SIZE=3D2> it causes =
WebLogic to invoke the default servlet, which </FONT>
<BR><FONT SIZE=3D2> causes =
pages to be displayed without being parsed or </FONT>
<BR><FONT SIZE=3D2> =
compiled.</FONT>
</P>
<P><FONT SIZE=3D2>Proof of concept</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> It is =
easy to verify this vulnerability for a given system. </FONT>
<BR><FONT SIZE=3D2> Prefixing =
the path to web pages with "/file/" in the URL </FONT>
<BR><FONT SIZE=3D2> causes =
the file to be displayed without being parsed or </FONT>
<BR><FONT SIZE=3D2> compiled. =
For example if the URL for a file "login.jsp" is:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> <A =
HREF=3D"http://site.running.weblogic/login.jsp" =
TARGET=3D"_blank">http://site.running.weblogic/login.jsp</A></FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> then =
accessing</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> <A =
HREF=3D"http://site.running.weblogic/file/login.jsp" =
TARGET=3D"_blank">http://site.running.weblogic/file/login.jsp</A></FONT>=
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> would =
cause the unparsed contents of the file to show up in </FONT>
<BR><FONT SIZE=3D2> the web =
browser.</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2>Solution</FONT>
</P>
<P><FONT SIZE=3D2> =
Workaround</FONT>
<BR><FONT SIZE=3D2> (The =
vendor recommends)</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> Do not =
use the example configuration for the FileServlet in </FONT>
<BR><FONT SIZE=3D2> =
production situations. It is possible to view the source of =
</FONT>
<BR><FONT SIZE=3D2> a =
JSP/JHTML file in a browser if you do. For more information </FONT>
<BR><FONT SIZE=3D2> on the =
file servlet, see "Setting up the File Servlet" in the =
</FONT>
<BR><FONT SIZE=3D2> online =
documentation at:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> <A =
HREF=3D"http://www.weblogic.com/docs51/admindocs/http.html#file" =
TARGET=3D"_blank">http://www.weblogic.com/docs51/admindocs/http.html#fil=
e</A></FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> The =
example registrations look like this:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> =
weblogic.httpd.register.file=3Dweblogic.servlet.FileServlet</FONT>
<BR><FONT SIZE=3D2> =
weblogic.httpd.initArgs.file=3DdefaultFilename=3Dindex.html</FONT>
<BR><FONT SIZE=3D2> =
weblogic.httpd.defaultServlet=3Dfile</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> There are =
two ways to avoid this:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> * =
Register the file servlet with a name that uses a random </FONT>
<BR><FONT SIZE=3D2> string =
that will be difficult to guess. For example, the </FONT>
<BR><FONT SIZE=3D2> following =
registrations will register the file servlet as </FONT>
<BR><FONT SIZE=3D2> =
12foo34:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> =
weblogic.httpd.register.12foo34=3Dweblogic.servlet.FileServlet</FONT>
<BR><FONT SIZE=3D2> =
weblogic.httpd.initArgs.12foo34=3DdefaultFilename=3Dindex.html</FONT>
<BR><FONT SIZE=3D2> =
weblogic.httpd.defaultServlet=3D12foo34</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> * =
Register the file servlet using wild cards representing all</FONT>
<BR><FONT SIZE=3D2> of the =
file extensions you will be serving. For example, the </FONT>
<BR><FONT SIZE=3D2> following =
registrations register the file servlet to serve </FONT>
<BR><FONT SIZE=3D2> .html =
files:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> =
weblogic.httpd.register.*.html=3Dweblogic.servlet.FileServlet</FONT>
<BR><FONT SIZE=3D2> =
weblogic.httpd.initArgs.*.html=3DdefaultFilename=3Dindex.html</FONT>
<BR><FONT SIZE=3D2> =
weblogic.httpd.defaultServlet=3D*.html</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> Repeat =
the above registrations for all the file types you will </FONT>
<BR><FONT SIZE=3D2> be =
serving, for example, *.gif, *.jpg, *.pdf, *.txt, etc.</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> =
Note: This information is documented in the BEA WebLogic </FONT>
<BR><FONT SIZE=3D2> Server =
and Express documentation at:</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> <A =
HREF=3D"http://www.weblogic.com/docs51/admindocs/lockdown.html" TARGET=3D=
"_blank">http://www.weblogic.com/docs51/admindocs/lockdown.html</A></FON=
T>
</P>
<P><FONT SIZE=3D2> Fix</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2> Contact =
the vendor.</FONT>
</P>
<P><FONT SIZE=3D2>Credits</FONT>
</P>
<P><FONT SIZE=3D2> We would =
also like to thank BEA Systems for their prompt and </FONT>
<BR><FONT SIZE=3D2> serious =
reaction to this problem.</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01BFDB4B.08156950--
