Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

BEA WebLogic JSP showcode vulnerability

From: stuart.mcclure () FOUNDSTONE COM (stuart.mcclure () FOUNDSTONE COM)
Date: Mon, 12 Jun 2000 01:19:45 -0400

                            Foundstone, Inc.
                        http://www.foundstone.com
                      "Securing the Dot Com World"

                           Security Advisory

                             BEA's WebLogic

----------------------------------------------------------------------
FS Advisory ID:         FS-061200-2-BEA

Release Date:           June 12, 2000

Product:                WebLogic

Vendor:                 BEA Systems (http://www.beasys.com)

Vendor Advisory:        None available at release time.

Type:                   JSP/JHTML show code vulnerability

Severity:               Low to Medium (depending on JSP/JHTML coding
                        practices)

Author:                 Saumil Shah (saumil.shah () foundstone com)
                        Stuart McClure (stuart.mcclure () foundstone com)
                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      Windows NT

Vulnerable versions:    Up to and including WebLogic 4.5.1

Foundstone Advisory:    http://www.foundstone.com
----------------------------------------------------------------------

Description

        A show code vulnerability exists with BEA's WebLogic 4.5.1 for
        NT allowing an attacker to view the source code of Java Server
        Pages (JSP) or JHTML files.

Details

        The problem lies with the way WebLogic assigns handlers to
        specific file types. For example, files with the extensions
        .jsp and .jhtml are registered as Java Server Pages or Java
        Servlet files in the WebLogic configuration "weblogic.
        properties" which lies under the \weblogic directory.

        A sample out-of-the-box configuration file looks as
        follows:

          # ---irrelevant part trimmed out---

          # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
          # WEBLOGIC JHTML PROPERTIES
          # ------------------------------------------------
          # Sets up automatic page compilation for JHTML. Adjust init
          # args for directory locations and uncomment to use.
          weblogic.httpd.register.*.jhtml=\
                 weblogic.servlet.jhtmlc.PageCompileServlet
          weblogic.httpd.initArgs.*.jhtml=\
                 pageCheckSeconds=1,\
                 packagePrefix=examples.jhtml,\
                 compileCommand=c:/java/bin/javac.exe,\
                 workingDir=d:/weblogic/myserver/classfiles,\
                 verbose=true

          # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
          # WEBLOGIC JSP PROPERTIES
          # ------------------------------------------------
          # Sets up automatic page compilation for JSP. Adjust init
          # args for directory locations and uncomment to use.
          weblogic.httpd.register.*.jsp=\
                 weblogic.servlet.JSPServlet
          weblogic.httpd.initArgs.*.jsp=\
                 pageCheckSeconds=1,\
                 compileCommand=c:/java/bin/javac.exe,\
                 workingDir=d:/weblogic/myserver/classfiles,\
                 verbose=true

        We can observe that the extensions .jsp and .jhtml are
        assigned to be handled by the Java compiler.

        WebLogic being case sensitive by default, interprets .jsp and
        .JSP to be two extensions. Same is the case with .jhtml and
        .JHTML. If a request for a .JSP file is made to WebLogic, it
        cannot find a handler for the .JSP extension and therefore,
        it uses the default handler, which is of type "text". Since
        the underlying file system is Windows NT, it does not
        differentiate between upper case and lower case filenames,
        and hence the requested file ends up being served up as plain
        text without being parsed or interpreted. On WebLogic running
        on Unix servers, it flags a "File not Found" error.

Proof of concept

        Normally, JSP and JHTML file are referred to in URLs using
        lower case extensions. For example:

                http://site.running.weblogic/login.jsp          -or-
                http://site.running.weblogic/index.jhtml

        By changing any letters in the extension (.jsp or .jhtml) to
        upper case, it is possible to obtain the unparsed source code
        of the JSP or JHTML file:

                http://site.running.weblogic/login.JSP          -or-
                http://site.running.weblogic/index.JHTML

Solution

        Workaround

        A cumbersome workaround to this problem would be to add
        handlers for the following file extensions in the configuration
        file:

        For .jsp files:

        .jsp    .Jsp    .jSp    .jsP    .JSp    .jSP    .JsP    .JSP

        For .jhtml files:

        .jhtml  .Jhtml  .jHtml  .jhTml  .jhtMl  .jhtmL  .JHtml  .JhTml
        .JhtMl  .JhtmL  .jHTml  .jHtMl  .jHtmL  .jhTMl  .jhTmL  .jhtML
        .JHTml  .JHtMl  .JHtmL  .JhTMl  .JhTmL  .JhtML  .jHTMl  .jHTmL
        .jHtML  .jhTML  .JHTMl  .JHTmL  .JhTML  .jHTML  .JHTML

        These extension cover all combinations of upper and lower case
        characters for .jsp and .jhtml.

        Fix

        Check the following property in the weblogic.properties file:

                weblogic.httpd.servlet.extensionCaseSensitive

        In certain versions of BEA WebLogic Server, the default setting
        of this property is set to "false". For maximum security, as
        documented in the BEA security lockdown documentation at:

                http://www.weblogic.com/docs51/admindocs/properties.html
                http://www.weblogic.com/docs51/admindocs/lockdown.html

        set weblogic.httpd.servlet.extensionCaseSensitive to "true", or
        add the following line to your Weblogic.properties file:

                weblogic.httpd.servlet.extensionCaseSensitive=true

        See the follow matrix to determine the appropriate course of
        action for your version of BEA WebLogic Server.

        Version:   BEA WebLogic 5.1 for Windows NT
        Status:    Set to true by default
        Action:    None

        Version:   BEA WebLogic 4.5.2 for Windows NT
        Status:    Set to true by default
        Action:    None

        Version:   BEA WebLogic 4.5.1 for Windows NT
        Status:    Set to false by default
        Action:    Set weblogic.httpd.servlet.extensionCaseSensitive=true

        Version:   BEA WebLogic 4.0.4 for Windows NT
        Status:    Set to false by default
        Action:    Set weblogic.httpd.servlet.extensionCaseSensitive=true

        Version:   BEA WebLogic 3.1.8
        Status:    False by default
        Action:    Apply patch found at:

        ftp://ftpna.beasys.com/pub/releases/318/caseSensitiveNTFix318.zip

Credits

        We would like to thank Shreeraj Shah for drawing our attention to
        this vulnerability. In addition, we would like to thank BEA for
        their prompt and serious attention to the problem.

Disclaimer

        The information contained in this advisory is the copyright (C)
        2000 of Foundstone, Inc. and believed to be accurate at the time
        of printing, but no representation or warranty is given, express
        or implied, as to its accuracy or completeness. Neither the
        author nor the publisher accepts any liability whatsoever for
        any direct, indirect or conquential loss or damage arising in
        any way from any use of, or reliance placed on, this information
        for any purpose. This advisory may be redistributed provided that
        no fee is assigned and that the advisory is not modified in any
        way.
Previous By Date Next
Previous By Thread Next

Current thread: