COMMAND

    weblogic

SYSTEMS AFFECTED

    All operating systems supported by WebLogic

PROBLEM

    Following is based on  a Foundstone Security Advisory  by Shreeraj
    Shah, Saumil Shah and Stuart  McClure.  It is possible  to compile
    and  execute  any  arbitrary  file  within  the  web document root
    directory of the WebLogic server  as if it were a  JSP/JHTML file,
    even if the file type is not .jsp or .jhtml.

    If applications  residing on  the WebLogic  server write  to files
    within  the  web  document  root  directory,  it  is  possible  to
    insert  executable  code  in  the  form  of  JSP or JHTML tags and
    have the  code compiled  and executed  using WebLogic's  handlers.
    This  can  potentially  cause  an  attacker to gain administrative
    control of the underlying operating systems.

    Looking into  the weblogic.properties  files, the  following lines
    indicate  how  WebLogic  associates  handlers  for  compiling  and
    executing JHTML and JSP files.

        weblogic.httpd.register.*.jhtml=\weblogic.servlet.jhtmlc.PageCompileServlet
        weblogic.httpd.register.*.jsp=\weblogic.servlet.JSPServlet

    JHTML    pages    in     WebLogic    get     handled    by     the
    weblogic.servlet.jhtml.PageCompileServlet,  which   compiles   the
    JHTML pages (if they are  not already compiled) and executes  them
    within the  Java Runtime  Enviroment and  hand the  output back to
    the  web   server.    Similarly,  weblogic.servlet.JSPServlet   is
    responsible for compiling and executing JSP pages.

    It  is  possible  to  invoke  these  servlets  manually  using the
    /*.jhtml/  or  /*.jsp/  prefix  in  the  URL,  and point it to any
    arbitrary file on  the web server  to be compiled  and executed as
    if it were a  JHTML or a JSP  file.  If JHTML  or JSP code can  be
    injected into any file on the web server via an application  (e.g.
    a  guestbook  application),  it  is  possible to execute arbitrary
    commands on the server.

    Assume that there  is an application  on the WebLogic  server that
    writes user entered data to a file called "temp.txt".  Given below
    is JHTML/JSP code that will print "Hello World":

        <java>out.println("Hello World");</java>        (JHTML) -or-
        <% out.println("Hello World"); %>               (JSP)

    If this  code is  somehow inserted  in the  file "temp.txt" via an
    application,  then  the  following  can  be  used to invoke forced
    compilation and execution of "temp.txt":

         http://weblogic.site/*.jhtml/path/to/temp.txt   (JHTML) -or-
         http://weblogic.site/*.jsp/path/to/temp.txt

SOLUTION

    Please refer to BEA's advisory BEA00-04.00 which can be found at

        http://developer.bea.com/alerts/index.html