def-2001-14: Bea Weblogic Unicode Directory Browsing

[Peter Gründl <peter.grundl () DEFCOM COM>]

======================================================================
                  Defcom Labs Advisory def-2001-14

              Bea Weblogic Unicode Directory Browsing

Author: Peter Gründl <peter.grundl () defcom com>
Release Date: 2001-03-26
======================================================================
------------------------=[Brief Description]=-------------------------
The Bea Weblogic server contains a flaw that allows directory browsing
even if the directories contain default documents.

------------------------=[Affected Systems]=--------------------------
- Bea Weblogic Server 6.0 for Windows NT/2000

----------------------=[Detailed Description]=------------------------
By requesting a URL and ending it with one of the following unicode
representations: %00, %2e, %2f or %5c, it is possible to bypass the
listing of the default document (eg. index.html) and browse the
content of the web folders.

Examples:
http://www.foo.org/%00/
http://www.foo.org/images/%2e/
http://www.foo.org/passwords/%2f/
http://www.foo.org/creditcard/%5c/

The four unicode representations translate to "null", ".", "/" and "\"

---------------------------=[Workaround]=-----------------------------
Download and install Weblogic 6.0 with Service Pack 1:
http://commerce.bea.com/downloads/weblogic_server.jsp#wls

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 22nd of
February, 2001 and a workaround was received on the 6th of March 2001.

======================================================================
            This release was brought to you by Defcom Labs

              labs () defcom com             www.defcom.com
======================================================================