From peter.grundl@DEFCOM.COM Wed Mar 28 19:08:57 2001 From: "[iso-8859-1] Peter Gründl" To: BUGTRAQ@SECURITYFOCUS.COM Date: Tue, 27 Mar 2001 10:15:11 +0200 Subject: [BUGTRAQ] def-2001-14: Bea Weblogic Directory Browsing (re-release) [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ====================================================================== Defcom Labs Advisory def-2001-14 Bea Weblogic Directory Browsing Author: Peter Gründl Release Date: 2001-03-26 Re-release Date: 2001-03-27 ====================================================================== ------------------------=[Re-Release Reason]=------------------------- Due to a poorly chosen name for the vulnerability this advisory has been re-released (I was getting A LOT of mails from people explaining the difference between unicode and ascii to me ;) Also some more information about the bug has surfaced. ------------------------=[Brief Description]=------------------------- The Bea Weblogic server contains a flaw that allows directory browsing even if the directories contain default documents. ------------------------=[Affected Systems]=-------------------------- - Bea Weblogic Server 6.0 for Windows NT/2000 - It appears that versions prior to 6.0 might also be vulnerable! ----------------------=[Detailed Description]=------------------------ By requesting a URL and ending it with one of the following ascii representations: %00, %2e, %2f or %5c, it is possible to bypass the listing of the default document (eg. index.html) and browse the content of the web folders. Examples: http://www.foo.org/%00/ http://www.foo.org/images/%2e/ http://www.foo.org/passwords/%2f/ http://www.foo.org/creditcard/%5c/ The four unicode representations translate to "null", ".", "/" and "\" ---------------------------=[Workaround]=----------------------------- Workaround: In the WLS console set the "index directory" from "enabled" to "disabled". It should be noted that this will not fix the issue with revealing jsp sourcecode that Adam Boileau reported to Bugtraq in response to the original posting of this advisory! Download and install Weblogic 6.0 with Service Pack 1: http://commerce.bea.com/downloads/weblogic_server.jsp#wls For some people installing V6.0Sp1 might not be an option. Those people are adviced to contact Bea Systems Support for assistance with this issue. -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendor's attention on the 22nd of February, 2001 and a workaround was received on the 6th of March 2001. ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com www.defcom.com ======================================================================