Bugtraq mailing list archives

Re: def-2001-14: Bea Weblogic Directory Browsing (re-release)

From: Adam Boileau <adam.boileau () STORM NET NZ>
Date: Wed, 28 Mar 2001 12:31:35 +1200

------------------------=[Affected Systems]=--------------------------
- Bea Weblogic Server 6.0 for Windows NT/2000
- It appears that versions prior to 6.0 might also be vulnerable!


They are indeed - I turned directory listing back on and was able to
reproduce the originally described effect in 4.5.1 and 5.1.


It should be noted that this will not fix the issue with revealing jsp
sourcecode that Adam Boileau reported to Bugtraq in response to the
original posting of this advisory!


To expand somewhat, after some further work:

Appending a '%00' to the end of a .jsp request retrieves the source of the
jsp.

I have reproduced this on WL 4.5.1 SP11 and SP13 in both cluster and
standalone configurations. I have also reproduced it with 5.1 SP6 and SP3,
all in a Solaris environment.

The negative result that I initially got with SP11 turned out to be quite
interesting - it occurs only when passed through libproxy.so 4.5.1 SP7.

Testing directly against the weblogic server, the %00 trick works. When
proxied (in my case, through Netscape Enterprise Server) via
solaris/libproxy.so 4.5.1 SP8, SP9, SP11, SP11(with fix), and SP13, it
also works. When proxied through 4.5.1 SP7, it does not. I dont have any
versions earlier than SP7 to try - results would be interesting if anyone
does.

This gives people in my position a workaround until BEA come up with a fix
- running an old version of libproxy.so.

I've done no testing of WLS on NT - you're on your own.

I have notified BEA (they released an advisory in response to the Defcom
Labs directory listing vuln today, but nothing about my little
observation) today, shorter notice than RFP would like[1], but given that
the cat is already out of the bag, I figured it was better to let people know
as soon as possible.

Regards,
Adam

-------------
Adam Boileau
Security Consultant
Auckland, New Zealand

[1] But then again, he wears gold lame[2] pants, so who are we to take him
seriously ;)
[2] That's "lah-may" not "lame" :)

Current thread:

def-2001-14: Bea Weblogic Directory Browsing (re-release) Peter Gründl (Mar 27)
- Re: def-2001-14: Bea Weblogic Directory Browsing (re-release) Adam Boileau (Mar 27)
  - Re: def-2001-14: Bea Weblogic Directory Browsing (re-release) Adam Boileau (Mar 28)