COMMAND
WebLogic
SYSTEMS AFFECTED
BEA WebLogic Enterprise 5.1.x, WebLogic Server and Express 4.5.x, 5.1.x
PROBLEM
Following is based on Foundstone Security Advisory by Saumil Shah
and Shreeraj Shah. Two show code vulnerabilities exist with BEA's
WebLogic 5.1.0 allowing an attacker to view the source code of any
file within the web document root of the web server. Depending on
web application and directory structure attacker can access and
view unauthorized files.
1. Viewing unparsed pages by forcibly invoking SSIServlet
=========================================================
Server Side Includes pages are processed by the SSIServlet in
WebLogic. It is registered in the weblogic.properties file as
follows:
weblogic.httpd.register.*.shtml=weblogic.servlet.ServerSideIncludeServlet
It turns out that the wild card (*) registration can itself be
used as a handler to invoke the SSIServlet via a URL.
Thus, if the file path in the URL is prefixed with /*.shtml/, one
can force that file to be processed by SSIServlet. If used
against other file types such as .jsp and .jhtml, unparsed jsp and
jhtml code can be viewed.
2. Viewing unparsed pages by forcibly invoking FileServlet
==========================================================
WebLogic comes pre-configured with the ConsoleHelp servlet being
registered to invoke FileServlet, as can be seen from the
following lines in the weblogic.properties file:
# For Console help. Do not modify.
weblogic.httpd.register.ConsoleHelp=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.ConsoleHelp=\defaultFilename=/weblogic/admin/help/NoContent.html
weblogic.allow.execute.weblogic.servlet.ConsoleHelp=everyone
Thus, if the file path in the URL is prefixed with /ConsoleHelp/,
it causes WebLogic to invoke FileServlet, which causes pages to be
displayed without being parsed or compiled.
Proof of concept?
1. Using *.shtml:
Prefixing the path to web pages with "/*.shtml/" in the URL
causes the file to be displayed since it is processed by
SSIServlet. For example if the URL for a file "login.jsp" is:
http://site.running.weblogic/login.jsp
then accessing
http://site.running.weblogic/*.shtml/login.jsp
would served by SSIServlet and jsp/jhtml code can be seen in
the web browser.
2. Using ConsoleHelp:
Prefixing the path to web pages with "/ConsoleHelp/" in the URL
causes the file to be displayed without being parsed or
compiled. For example if the URL for a file "login.jsp" is:
http://site.running.weblogic/login.jsp
then accessing
http://site.running.weblogic/ConsoleHelp/login.jsp
would cause the unparsed contents of the file to show up in
the web browser.
SOLUTION
Please refer to BEA security advisory BEA00-03.00. From the
vendor (as appears in BEA00-03.00):
(1) Apply the "Show Code" vulnerability patch available from BEA
Technical Support. This patch is available for:
- The J-Engine in BEA WebLogic Enterprise 5.1.x
- BEA WebLogic Server and Express 5.1.x
- BEA WebLogic Server and Express 4.5.x
Contact BEA Technical Support at support@bea.com for patch.
(2) Once the patch has been applied, review the
weblogic.propertiesfile and ensure that the following changes
have been made:
weblogic.httpd.register.file=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.file=defaultFilename=index.html
weblogic.httpd.defaultServlet=file
should be changed to:
weblogic.httpd.register.*.html=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.*.html=defaultFilename=index.html
weblogic.httpd.defaultServlet=*.html
Future Service Packs for BEA WebLogic Server and Express will
also contain the patch to address this vulnerability.