Re: def-2001-14: Bea Weblogic Unicode Directory Browsing

[Adam Boileau <adam.boileau () STORM NET NZ>]

It is interesting to note that similar (in fact, worse) behaviour is
exhibited in both Weblogic 4.5.1 and 5.1.

Appending a '%00' to the end of a .jsp request retrieves the source of the
jsp.

So far I have been able to demonstrate this on several, but not all of my
weblogic farm. Results look something like this:

4.5.1 SP13 Single : Yes
4.5.1 SP13 Cluster: Yes
4.5.1 SP11 Single : Yes
4.5.1 SP11 Cluster: No[1]

5.1 SP6 Single: Yes
5.1 SP3 Single: Yes[2]

The other unicode encoded characters mentioned in the Defcom advisory
appear to have no immediatly visible effect.

I was not able to convince it to give me a directory listing, but this may
well be due to the fact that I have indexing turned off in the weblogic
config.

Given that upgrading to WL6 is not an option for some of us with
significant investments in applications that run on 4.x and 5.x, hopefully
BEA will come up with an option other than 'run WL6SP1'.

Adam

[1] I'm not convinved that this isn't some instance specific configuration
issue. I'm working on tracking this down.
[2] I dont have a 5.1 cluster yet...

On Mon, 26 Mar 2001, Peter Gründl wrote:

> ======================================================================
>                   Defcom Labs Advisory def-2001-14
>
>               Bea Weblogic Unicode Directory Browsing
>
> Author: Peter Gründl <peter.grundl () defcom com>
> Release Date: 2001-03-26
> ======================================================================
> ------------------------=[Brief Description]=-------------------------
> The Bea Weblogic server contains a flaw that allows directory browsing
> even if the directories contain default documents.
>
> ------------------------=[Affected Systems]=--------------------------
> - Bea Weblogic Server 6.0 for Windows NT/2000
>
> ----------------------=[Detailed Description]=------------------------
> By requesting a URL and ending it with one of the following unicode
> representations: %00, %2e, %2f or %5c, it is possible to bypass the
> listing of the default document (eg. index.html) and browse the
> content of the web folders.
>
> Examples:
> http://www.foo.org/%00/
> http://www.foo.org/images/%2e/
> http://www.foo.org/passwords/%2f/
> http://www.foo.org/creditcard/%5c/
>
> The four unicode representations translate to "null", ".", "/" and "\"
>
> ---------------------------=[Workaround]=-----------------------------
> Download and install Weblogic 6.0 with Service Pack 1:
> http://commerce.bea.com/downloads/weblogic_server.jsp#wls
>
> -------------------------=[Vendor Response]=--------------------------
> This issue was brought to the vendor's attention on the 22nd of
> February, 2001 and a workaround was received on the 6th of March 2001.
>
> ======================================================================
>             This release was brought to you by Defcom Labs
>
>               labs () defcom com             www.defcom.com
> ======================================================================