[18216] in bugtraq
def-2000-04: Bea WebLogic Server dotdot-overflow
daemon@ATHENA.MIT.EDU (Peter =?iso-8859-1?Q?Gr=FCndl?=)
Wed Dec 20 15:43:28 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Message-Id: <5.0.2.1.0.20001219133320.00bded50@astral.defcom.com>
Date: Tue, 19 Dec 2000 13:34:02 +0100
Reply-To: Peter =?iso-8859-1?Q?Gr=FCndl?= <peter.grundl@DEFCOM.COM>
From: Peter =?iso-8859-1?Q?Gr=FCndl?= <peter.grundl@DEFCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
======================================================================
Defcom Labs Advisory def-2000-04
Bea WebLogic Server dotdot-overflow
Author: Peter Gründl <peter.grundl@defcom.com>
Release Date: 2000-12-19
======================================================================
------------------------=[Brief Description]=-------------------------
It is possible to trigger a race condition that can result in the
stack and registers being partially overwritten.
------------------------=[Affected Systems]=--------------------------
Bea WebLogic Server for Windows NT prior to V5.1.0 - Service Pack 7
----------------------=[Detailed Description]=------------------------
WebLogic Server has a specific handler for URL requests that start
with "dotdot". By sending a large URL (..aaaaaaaaaaaaaaaaaaxlots more)
and disconnecting, it is possible to trigger a buffer overflow. The
result can be anywhere from crashing the web server, to executing
arbitrary code on the server with the privileges of the web server
(which usually means LocalSystem).
---------------------------=[Workaround]=-----------------------------
Upgrade to Bea Weblogic 5.1.0, Service Pack 7:
http://commerce.beasys.com/downloads/weblogic_server.jsp
-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 20th of
November, and notification of a fix was received by Defcom on the 19th
of December.
======================================================================
This release was brought to you by Defcom Labs
labs@defcom.com www.defcom.com
======================================================================
