Bugtraq mailing list archives
Re: BEA WebLogic internal hostname disclosure
From: "Kurt Seifried" <kurt () seifried org>
Date: Thu, 3 Apr 2003 01:00:37 -0800
Hi, During a penentration test, I discovered that the BEA Weblogic Server reveals it hostname (on windows machines NetBIOS name) while sending the following request: GET . HTTP/1.0\r\n\r\n On older systems (Weblogic 7.0), a simple "BLAH . BLAH\r\n\r\n" will do the same trick. BEA was contacted about two weeks ago, but I haven't heard from them (yet). Regards, Michael
Reveals hostname: ./ .// .////////////// .%20 .%20%20 .. Does not reveal hostname: ... .a .1 .\ .%21 Seems that a single "." or a "." followed by a "special" character such as "/" or %20 (space) works. Don't know what other "special" characters work. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
Current thread:
- BEA WebLogic internal hostname disclosure Michael Hendrickx (Apr 02)
- Re: BEA WebLogic internal hostname disclosure Kurt Seifried (Apr 03)