Bugtraq mailing list archives
def-2001-14: Bea Weblogic Directory Browsing (re-release)
From: Peter Gründl <peter.grundl () DEFCOM COM>
Date: Tue, 27 Mar 2001 10:15:11 +0200
====================================================================== Defcom Labs Advisory def-2001-14 Bea Weblogic Directory Browsing Author: Peter Gründl <peter.grundl () defcom com> Release Date: 2001-03-26 Re-release Date: 2001-03-27 ====================================================================== ------------------------=[Re-Release Reason]=------------------------- Due to a poorly chosen name for the vulnerability this advisory has been re-released (I was getting A LOT of mails from people explaining the difference between unicode and ascii to me ;) Also some more information about the bug has surfaced. ------------------------=[Brief Description]=------------------------- The Bea Weblogic server contains a flaw that allows directory browsing even if the directories contain default documents. ------------------------=[Affected Systems]=-------------------------- - Bea Weblogic Server 6.0 for Windows NT/2000 - It appears that versions prior to 6.0 might also be vulnerable! ----------------------=[Detailed Description]=------------------------ By requesting a URL and ending it with one of the following ascii representations: %00, %2e, %2f or %5c, it is possible to bypass the listing of the default document (eg. index.html) and browse the content of the web folders. Examples: http://www.foo.org/%00/ http://www.foo.org/images/%2e/ http://www.foo.org/passwords/%2f/ http://www.foo.org/creditcard/%5c/ The four unicode representations translate to "null", ".", "/" and "\" ---------------------------=[Workaround]=----------------------------- Workaround: In the WLS console set the "index directory" from "enabled" to "disabled". It should be noted that this will not fix the issue with revealing jsp sourcecode that Adam Boileau reported to Bugtraq in response to the original posting of this advisory! Download and install Weblogic 6.0 with Service Pack 1: http://commerce.bea.com/downloads/weblogic_server.jsp#wls For some people installing V6.0Sp1 might not be an option. Those people are adviced to contact Bea Systems Support for assistance with this issue. -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendor's attention on the 22nd of February, 2001 and a workaround was received on the 6th of March 2001. ====================================================================== This release was brought to you by Defcom Labs labs () defcom com www.defcom.com ======================================================================
Current thread:
- def-2001-14: Bea Weblogic Directory Browsing (re-release) Peter Gründl (Mar 27)
- Re: def-2001-14: Bea Weblogic Directory Browsing (re-release) Adam Boileau (Mar 27)
- Re: def-2001-14: Bea Weblogic Directory Browsing (re-release) Adam Boileau (Mar 28)
- Re: def-2001-14: Bea Weblogic Directory Browsing (re-release) Adam Boileau (Mar 27)