COMMAND

    Weblogic

SYSTEMS AFFECTED

    Bea Weblogic Server 6.0 and prior

PROBLEM

    Following is based on a Defcom Labs Advisory def-2001-14 by  Peter
    Grundl.   The  Bea  Weblogic  server  contains  a flaw that allows
    directory  browsing  even  if  the  directories  contain   default
    documents.

    By  requesting  a  URL  and  ending  it  with one of the following
    ascii representations: %00, %2e, %2f   or %5c, it is possible   to
    bypass the listing  of the default  document (eg. index.html)  and
    browse the content of the web folders.

    Examples:

        http://www.foo.org/%00/
        http://www.foo.org/images/%2e/
        http://www.foo.org/passwords/%2f/
        http://www.foo.org/creditcard/%5c/

    The four  unicode representations  translate to  "null", ".",  "/"
    and "\".

    It is interesting to note that similar (in fact, worse)  behaviour
    is exhibited in  both Weblogic 4.5.1  and 5.1.   Appending a '%00'
    to the  end of  a .jsp  request retrieves  the source  of the jsp.
    Results look something like this:

        4.5.1 SP13 Single : Yes
        4.5.1 SP13 Cluster: Yes
        4.5.1 SP11 Single : Yes
        4.5.1 SP11 Cluster: No

        5.1 SP6 Single: Yes
        5.1 SP3 Single: Yes

    Appending  a  '%00'  to  the  end  of a .jsp request retrieves the
    source of the jsp.  This has been reproduced on WL 4.5.1 SP11  and
    SP13 in both cluster and standalone configurations.  Also, it  has
    been  reproduced  with  5.1  SP6   and  SP3,  all  in  a   Solaris
    environment.  Tried  it on AIX  4.3.3 with WebLogic  5.1.0 Service
    Pack 6 - It works!

    The negative  result above  got with  SP11 turned  out to be quite
    interesting  -  it  occurs  only  when  passed through libproxy.so
    4.5.1 SP7.  Testing directly against the weblogic server, the  %00
    trick works.   When proxied  (through Netscape  Enterprise Server)
    via solaris/libproxy.so 4.5.1 SP8, SP9, SP11, SP11(with fix),  and
    SP13, it  also works.   When proxied  through 4.5.1  SP7, it  does
    not.

SOLUTION

    Download and install Weblogic 6.0 with Service Pack 1:

        http://commerce.bea.com/downloads/weblogic_server.jsp#wls

    For some people installing V6.0Sp1 might not be an option.   Those
    people are adviced to  contact Bea Systems Support  for assistance
    with this issue.

    In the  WLS console  set the  "index directory"  from "enabled" to
    "disabled".  It should be noted  that this will not fix the  issue
    with  revealing  jsp  sourcecode  that  Adam  Boileau  reported to
    Bugtraq in response to the original posting of this advisory!