BEA's WebLogic force handlers show code vulnerability

2000-08-01T00:00:00
ID SECURITYVULNS:DOC:494
Type securityvulns
Reporter Securityvulns
Modified 2000-08-01T00:00:00

Description

                        Foundstone, Inc.
                    http://www.foundstone.com
                  "Securing the Dot Com World"

                       Security Advisory

     BEA's WebLogic force handlers show code vulnerability

FS Advisory ID: FS-072800-9-BEA

Release Date: July 28, 2000

Product: WebLogic

Vendor: BEA Systems (http://www.beasys.com)

Vendor Advisory: Contact the vendor

Type: Forced Handlers: Show code vulnerability

Severity: Low to Medium (depending on JSP/JHTML coding practices & web application security)

Author: Saumil Shah (saumil.shah@foundstone.com) Shreeraj Shah (shreeraj.shah@foundstone.com)

Operating Systems: All operating systems

Vulnerable versions: BEA WebLogic Enterprise 5.1.x BEA WebLogic Server and Express 5.1.x BEA WebLogic Server and Express 4.5.x

Foundstone Advisory: http://www.foundstone.com

Description

    Two show code vulnerabilities exist with BEA's WebLogic 5.1.0
    allowing an attacker to view the source code of any file
    within the web document root of the web server. Depending on
    web application and directory structure attacker can access
    and view unauthorized files.

Details

    1. Viewing unparsed pages by forcibly invoking SSIServlet:
    ----------------------------------------------------------

    Server Side Includes pages are processed by the SSIServlet in
    WebLogic.

    It is registered in the weblogic.properties file as follows:

    weblogic.httpd.register.*.shtml=
            weblogic.servlet.ServerSideIncludeServlet

    It turns out that the wild card (*) registration can itself be
    used as a handler to invoke the SSIServlet via a URL.

    Thus, if the file path in the URL is prefixed with /*.shtml/,
    one can force that file to be processed by SSIServlet. If used
    against other file types such as .jsp and .jhtml, unparsed jsp
    and jhtml code can be viewed.

    2. Viewing unparsed pages by forcibly invoking FileServlet:
    -----------------------------------------------------------

    WebLogic comes pre-configured with the ConsoleHelp servlet
    being registered to invoke FileServlet, as can be seen from
    the following lines in the weblogic.properties file:

    # For Console help. Do not modify.
    weblogic.httpd.register.ConsoleHelp=
                              weblogic.servlet.FileServlet
    weblogic.httpd.initArgs.ConsoleHelp=\
            defaultFilename=/weblogic/admin/help/NoContent.html
    weblogic.allow.execute.weblogic.servlet.ConsoleHelp=everyone

    Thus, if the file path in the URL is prefixed with
    /ConsoleHelp/, it causes WebLogic to invoke FileServlet, which
    causes pages to be displayed without being parsed or compiled.

Proof of concept

    1. Using *.shtml:

    Prefixing the path to web pages with "/*.shtml/" in the URL
    causes the file to be displayed since it is processed by
    SSIServlet. For example if the URL for a file "login.jsp" is:

    http://site.running.weblogic/login.jsp

    then accessing

    http://site.running.weblogic/*.shtml/login.jsp

    would served by SSIServlet and jsp/jhtml code can be seen
    in the web browser.

    2. Using ConsoleHelp:

    Prefixing the path to web pages with "/ConsoleHelp/" in the
    URL causes the file to be displayed without being parsed or
    compiled. For example if the URL for a file "login.jsp" is:

    http://site.running.weblogic/login.jsp

    then accessing

    http://site.running.weblogic/ConsoleHelp/login.jsp

    would cause the unparsed contents of the file to show up in
    the web browser.

Solution

    Please refer to BEA security advisory BEA00-03.00.

    From the vendor (as appears in BEA00-03.00):

    (1) Apply the "Show Code" vulnerability patch available from
    BEA Technical Support. This patch is available for:

    Version: The J-Engine in BEA WebLogic Enterprise 5.1.x
             BEA WebLogic Server and Express 5.1.x
             BEA WebLogic Server and Express 4.5.x

    Action: Contact BEA Technical Support at support@bea.com for
            patch.

    (2) Once the patch has been applied, review the
    weblogic.propertiesfile and ensure that the following changes
    have been made:

    weblogic.httpd.register.file=weblogic.servlet.FileServlet
    weblogic.httpd.initArgs.file=defaultFilename=index.html
    weblogic.httpd.defaultServlet=file

    should be changed to:

    weblogic.httpd.register.*.html=weblogic.servlet.FileServlet
    weblogic.httpd.initArgs.*.html=defaultFilename=index.html
    weblogic.httpd.defaultServlet=*.html

    Future Service Packs for BEA WebLogic Server and Express will
    also contain the patch to address this vulnerability.

Credits

    We would like to thank BEA Systems for their prompt and
    serious reaction to this problem.

Disclaimer

    THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT
    (C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT
    THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS
    GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.
    NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY
    WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR
    DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED
    ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE
    REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE
    ADVISORY IS NOT MODIFIED IN ANY WAY.