COMMAND

    WebLogic

SYSTEMS AFFECTED

    Up to and including WebLogic 4.5.1

PROBLEM

    Following is based on Foundstone Security Advisory by Saumil  Shah
    and Stuart McClure.  A  show code vulnerability exists with  BEA's
    WebLogic 4.5.1 for NT allowing an attacker to view the source code
    of Java Server Pages (JSP) or JHTML files.

    The problem lies with the way WebLogic assigns handlers to specific
    file types.  For example, files with the extensions .jsp and .jhtml
    are registered as Java Server  Pages or Java Servlet files  in the
    WebLogic configuration  "weblogic.   properties" which  lies under
    the \weblogic directory.

    A sample out-of-the-box configuration file looks as follows:

        # ---irrelevant part trimmed out---
        
        # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
        # WEBLOGIC JHTML PROPERTIES
        # ------------------------------------------------
        # Sets up automatic page compilation for JHTML. Adjust init
        # args for directory locations and uncomment to use.
        weblogic.httpd.register.*.jhtml=\
               weblogic.servlet.jhtmlc.PageCompileServlet
        weblogic.httpd.initArgs.*.jhtml=\
               pageCheckSeconds=1,\
               packagePrefix=examples.jhtml,\
               compileCommand=c:/java/bin/javac.exe,\
               workingDir=d:/weblogic/myserver/classfiles,\
               verbose=true
        
        # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
        # WEBLOGIC JSP PROPERTIES
        # ------------------------------------------------
        # Sets up automatic page compilation for JSP. Adjust init
        # args for directory locations and uncomment to use.
        weblogic.httpd.register.*.jsp=\
               weblogic.servlet.JSPServlet
        weblogic.httpd.initArgs.*.jsp=\
               pageCheckSeconds=1,\
               compileCommand=c:/java/bin/javac.exe,\
               workingDir=d:/weblogic/myserver/classfiles,\
               verbose=true

    We can observe  that the extensions  .jsp and .jhtml  are assigned
    to be handled by the Java compiler.  WebLogic being case sensitive
    by default, interprets .jsp and  .JSP to be two extensions.   Same
    is the case with .jhtml and  .JHTML. If a request for a  .JSP file
    is  made  to  WebLogic,  it  cannot  find  a  handler for the .JSP
    extension and therefore, it uses the default handler, which is  of
    type "text".  Since the  underlying file system is Windows  NT, it
    does  not  differentiate  between   upper  case  and  lower   case
    filenames, and hence  the requested file  ends up being  served up
    as plain text  without being parsed  or interpreted.   On WebLogic
    running on Unix servers, it flags a "File not Found" error.

    Normally, JSP and JHTML file  are referred to in URLs  using lower
    case extensions.  For example:

        http://site.running.weblogic/login.jsp          -or-
        http://site.running.weblogic/index.jhtml

    By  changing  any  letters  in  the  extension (.jsp or .jhtml) to
    upper case,  it is  possible to  obtain the  unparsed source  code
    of the JSP or JHTML file:

        http://site.running.weblogic/login.JSP          -or-
        http://site.running.weblogic/index.JHTML

SOLUTION

    A cumbersome workaround to this  problem would be to add  handlers
    for the following file extensions in the configuration file:

      - for .jsp files:
        .jsp    .Jsp    .jSp    .jsP    .JSp    .jSP    .JsP    .JSP

      - for .jhtml files:
        .jhtml  .Jhtml  .jHtml  .jhTml  .jhtMl  .jhtmL  .JHtml  .JhTml
        .JhtMl  .JhtmL  .jHTml  .jHtMl  .jHtmL  .jhTMl  .jhTmL  .jhtML
        .JHTml  .JHtMl  .JHtmL  .JhTMl  .JhTmL  .JhtML  .jHTMl  .jHTmL
        .jHtML  .jhTML  .JHTMl  .JHTmL  .JhTML  .jHTML  .JHTML

    These extension  cover all  combinations of  upper and  lower case
    characters for .jsp and .jhtml.

    Check the following property in the weblogic.properties file:

        weblogic.httpd.servlet.extensionCaseSensitive

    In certain versions  of BEA WebLogic  Server, the default  setting
    of this  property is  set to  "false".   For maximum  security, as
    documented in the BEA security lockdown documentation at:

        http://www.weblogic.com/docs51/admindocs/properties.html
        http://www.weblogic.com/docs51/admindocs/lockdown.html

    set  weblogic.httpd.servlet.extensionCaseSensitive  to  "true", or
    add the following line to your Weblogic.properties file:

        weblogic.httpd.servlet.extensionCaseSensitive=true

    See  the  follow  matrix  to  determine  the appropriate course of
    action for your version of BEA WebLogic Server.

        Version:   BEA WebLogic 5.1 for Windows NT
        Status:    Set to true by default
        Action:    None

        Version:   BEA WebLogic 4.5.2 for Windows NT
        Status:    Set to true by default
        Action:    None

        Version:   BEA WebLogic 4.5.1 for Windows NT
        Status:    Set to false by default
        Action:    Set weblogic.httpd.servlet.extensionCaseSensitive=true

        Version:   BEA WebLogic 4.0.4 for Windows NT
        Status:    Set to false by default
        Action:    Set weblogic.httpd.servlet.extensionCaseSensitive=true

        Version:   BEA WebLogic 3.1.8
        Status:    False by default
        Action:    Apply patch found at: ftp://ftpna.beasys.com/pub/releases/318/caseSensitiveNTFix318.zip