Bugtraq mailing list archives
Re: def-2001-14: Bea Weblogic Directory Browsing (re-release)
From: Adam Boileau <adam.boileau () STORM NET NZ>
Date: Wed, 28 Mar 2001 12:31:35 +1200
------------------------=[Affected Systems]=-------------------------- - Bea Weblogic Server 6.0 for Windows NT/2000 - It appears that versions prior to 6.0 might also be vulnerable!
They are indeed - I turned directory listing back on and was able to reproduce the originally described effect in 4.5.1 and 5.1.
It should be noted that this will not fix the issue with revealing jsp sourcecode that Adam Boileau reported to Bugtraq in response to the original posting of this advisory!
To expand somewhat, after some further work: Appending a '%00' to the end of a .jsp request retrieves the source of the jsp. I have reproduced this on WL 4.5.1 SP11 and SP13 in both cluster and standalone configurations. I have also reproduced it with 5.1 SP6 and SP3, all in a Solaris environment. The negative result that I initially got with SP11 turned out to be quite interesting - it occurs only when passed through libproxy.so 4.5.1 SP7. Testing directly against the weblogic server, the %00 trick works. When proxied (in my case, through Netscape Enterprise Server) via solaris/libproxy.so 4.5.1 SP8, SP9, SP11, SP11(with fix), and SP13, it also works. When proxied through 4.5.1 SP7, it does not. I dont have any versions earlier than SP7 to try - results would be interesting if anyone does. This gives people in my position a workaround until BEA come up with a fix - running an old version of libproxy.so. I've done no testing of WLS on NT - you're on your own. I have notified BEA (they released an advisory in response to the Defcom Labs directory listing vuln today, but nothing about my little observation) today, shorter notice than RFP would like[1], but given that the cat is already out of the bag, I figured it was better to let people know as soon as possible. Regards, Adam ------------- Adam Boileau Security Consultant Auckland, New Zealand [1] But then again, he wears gold lame[2] pants, so who are we to take him seriously ;) [2] That's "lah-may" not "lame" :)
Current thread:
- def-2001-14: Bea Weblogic Directory Browsing (re-release) Peter Gründl (Mar 27)
- Re: def-2001-14: Bea Weblogic Directory Browsing (re-release) Adam Boileau (Mar 27)
- Re: def-2001-14: Bea Weblogic Directory Browsing (re-release) Adam Boileau (Mar 28)
- Re: def-2001-14: Bea Weblogic Directory Browsing (re-release) Adam Boileau (Mar 27)