BEA WebLogic SSIServlet Source Code Disclosure

2000-07-31T00:00:00
ID OSVDB:1480
Type osvdb
Reporter OSVDB
Modified 2000-07-31T00:00:00

Description

Vulnerability Description

BEA Weblogic contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when /*.shtml/ is inserted into a URL, which will disclose the source of .jsp and .jhtml pages resulting in a loss of confidentiality.

Technical Description

When /*.shtml/ is prepended into a URL, it invokes the SSIServlet, which sends the JSP source rather than the parsed output of the JSP.

Solution Description

Upgrade to versions listed below or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

BEA WebLogic Server and Express 6.1 install SP 2 and CR069809_610sp2_v2.jar. BEA WebLogic Server and Express 6.0 install SP 2, Rolling Patch 3 and CR069809_60sp2rp3.jar. BEA WebLogic Server and Express 5.1 install SP 11 and CR069809_510sp11_v2.jar. BEA WebLogic Server and Express 4.5.2 install SP 2 and CR045420_wls452sp2.zip. BEA WebLogic Server and Express 4.5.1 install SP 15.

Short Description

BEA Weblogic contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when /*.shtml/ is inserted into a URL, which will disclose the source of .jsp and .jhtml pages resulting in a loss of confidentiality.

Manual Testing Notes

Load a parsed page on the remote system and insert /*.shtml/ into the URL after the host specification. Load the new URL to determine if the application code is returned instead of HTML.

References:

Vendor Specific Solution URL: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA02-03.jsp Snort Signature ID: 2139 Related OSVDB ID: 1481 Nessus Plugin ID:11604 ISS X-Force ID: 11746 CVE-2000-0683 Bugtraq ID: 1517