Bugtraq mailing list archives
Re: def-2001-14: Bea Weblogic Unicode Directory Browsing
From: Adam Boileau <adam.boileau () STORM NET NZ>
Date: Tue, 27 Mar 2001 12:36:03 +1200
It is interesting to note that similar (in fact, worse) behaviour is exhibited in both Weblogic 4.5.1 and 5.1. Appending a '%00' to the end of a .jsp request retrieves the source of the jsp. So far I have been able to demonstrate this on several, but not all of my weblogic farm. Results look something like this: 4.5.1 SP13 Single : Yes 4.5.1 SP13 Cluster: Yes 4.5.1 SP11 Single : Yes 4.5.1 SP11 Cluster: No[1] 5.1 SP6 Single: Yes 5.1 SP3 Single: Yes[2] The other unicode encoded characters mentioned in the Defcom advisory appear to have no immediatly visible effect. I was not able to convince it to give me a directory listing, but this may well be due to the fact that I have indexing turned off in the weblogic config. Given that upgrading to WL6 is not an option for some of us with significant investments in applications that run on 4.x and 5.x, hopefully BEA will come up with an option other than 'run WL6SP1'. Adam [1] I'm not convinved that this isn't some instance specific configuration issue. I'm working on tracking this down. [2] I dont have a 5.1 cluster yet... On Mon, 26 Mar 2001, Peter Gründl wrote:
====================================================================== Defcom Labs Advisory def-2001-14 Bea Weblogic Unicode Directory Browsing Author: Peter Gründl <peter.grundl () defcom com> Release Date: 2001-03-26 ====================================================================== ------------------------=[Brief Description]=------------------------- The Bea Weblogic server contains a flaw that allows directory browsing even if the directories contain default documents. ------------------------=[Affected Systems]=-------------------------- - Bea Weblogic Server 6.0 for Windows NT/2000 ----------------------=[Detailed Description]=------------------------ By requesting a URL and ending it with one of the following unicode representations: %00, %2e, %2f or %5c, it is possible to bypass the listing of the default document (eg. index.html) and browse the content of the web folders. Examples: http://www.foo.org/%00/ http://www.foo.org/images/%2e/ http://www.foo.org/passwords/%2f/ http://www.foo.org/creditcard/%5c/ The four unicode representations translate to "null", ".", "/" and "\" ---------------------------=[Workaround]=----------------------------- Download and install Weblogic 6.0 with Service Pack 1: http://commerce.bea.com/downloads/weblogic_server.jsp#wls -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendor's attention on the 22nd of February, 2001 and a workaround was received on the 6th of March 2001. ====================================================================== This release was brought to you by Defcom Labs labs () defcom com www.defcom.com ======================================================================
Current thread:
- def-2001-14: Bea Weblogic Unicode Directory Browsing Peter Gründl (Mar 26)
- Re: def-2001-14: Bea Weblogic Unicode Directory Browsing Adam Boileau (Mar 26)
- <Possible follow-ups>
- Re: def-2001-14: Bea Weblogic Unicode Directory Browsing Mikhail Iakovlev (Mar 27)
- Re: def-2001-14: Bea Weblogic Unicode Directory Browsing Przemyslaw Maciuszko (Mar 28)