Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

def-2001-14: Bea Weblogic Directory Browsing (re-release)

From: Peter Gründl <peter.grundl () DEFCOM COM>
Date: Tue, 27 Mar 2001 10:15:11 +0200
======================================================================
                  Defcom Labs Advisory def-2001-14

                  Bea Weblogic Directory Browsing

Author: Peter Gründl <peter.grundl () defcom com>
Release Date: 2001-03-26
Re-release Date: 2001-03-27
======================================================================
------------------------=[Re-Release Reason]=-------------------------
Due to a poorly chosen name for the vulnerability this advisory has
been re-released (I was getting A LOT of mails from people explaining
the difference between unicode and ascii to me ;)

Also some more information about the bug has surfaced.

------------------------=[Brief Description]=-------------------------
The Bea Weblogic server contains a flaw that allows directory browsing
even if the directories contain default documents.

------------------------=[Affected Systems]=--------------------------
- Bea Weblogic Server 6.0 for Windows NT/2000
- It appears that versions prior to 6.0 might also be vulnerable!

----------------------=[Detailed Description]=------------------------
By requesting a URL and ending it with one of the following ascii
representations: %00, %2e, %2f or %5c, it is possible to bypass the
listing of the default document (eg. index.html) and browse the
content of the web folders.

Examples:
http://www.foo.org/%00/
http://www.foo.org/images/%2e/
http://www.foo.org/passwords/%2f/
http://www.foo.org/creditcard/%5c/

The four unicode representations translate to "null", ".", "/" and "\"

---------------------------=[Workaround]=-----------------------------
Workaround:
In the WLS console set the "index directory" from "enabled" to
"disabled".

It should be noted that this will not fix the issue with revealing jsp
sourcecode that Adam Boileau reported to Bugtraq in response to the
original posting of this advisory!

Download and install Weblogic 6.0 with Service Pack 1:
http://commerce.bea.com/downloads/weblogic_server.jsp#wls

For some people installing V6.0Sp1 might not be an option. Those
people are adviced to contact Bea Systems Support for assistance with
this issue.

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 22nd of
February, 2001 and a workaround was received on the 6th of March 2001.

======================================================================
            This release was brought to you by Defcom Labs

              labs () defcom com             www.defcom.com
======================================================================
Previous By Date Next
Previous By Thread Next

Current thread: