From stuart.mcclure@FOUNDSTONE.COM Thu Jul 13 13:59:31 2000 From: stuart.mcclure@FOUNDSTONE.COM To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 21 Jun 2000 02:36:25 -0400 Subject: BEA WebLogic /file/ showcode vulnerability [The following text is in the "ISO-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory BEA's WebLogic ---------------------------------------------------------------------- FS Advisory ID: FS-062100-3-BEA Release Date: June 21, 2000 Product: WebLogic Vendor: BEA Systems (http://www.beasys.com) Vendor Advisory: Contact vendor. Type: Unparsed pages: Show code vulnerability Severity: Low to Medium (depending on JSP/JHTML coding practices) Author: Saumil Shah (saumil.shah@foundstone.com) Shreeraj Shah (shreeraj.shah@foundstone.com) Stuart McClure (stuart.mcclure@foundstone.com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: All operating systems Vulnerable versions: BEA WebLogic Server and Express 5.1.x BEA WebLogic Server and Express 4.5.x BEA WebLogic Server and Express 4.0.x BEA WebLogic Server and Express 3.1.8 Note: No currently available versions of BEA WebLogic Enterprise are affected. Foundstone Advisory: http://www.foundstone.com ---------------------------------------------------------------------- Description A show code vulnerability exists with BEA's WebLogic 5.1.0 allowing an attacker to view the source code of any file within the web document root of the web server. Details WebLogic relies on four main Java Servlets to serve different kinds of files. These servlets are: FileServlet - for plain HTML pages SSIServlet - for Server Side Includes pages PageCompileServlet - for JHTML pages JSPServlet - for Java Server Pages Looking at the weblogic.properties file, here is how each of these servlets are registered: weblogic.httpd.register.file=weblogic.servlet.FileServlet weblogic.httpd.register.*.shtml= weblogic.servlet.ServerSideIncludeServlet weblogic.httpd.register.*.jhtml= weblogic.servlet.jhtmlc.PageCompileServlet weblogic.httpd.register.*.jsp= weblogic.servlet.JSPServlet Further along the weblogic.properties file, there is a default servlet which is called upon if a requested file does not have a registered handler. The lines below show how the default servlet is registered. # Default servlet registration # ------------------------------------------------ # Virtual name of the default servlet if no matching servlet # is found weblogic.httpd.defaultServlet=file Thus, if the file path in the URL is prefixed with "/file/", it causes WebLogic to invoke the default servlet, which causes pages to be displayed without being parsed or compiled. Proof of concept It is easy to verify this vulnerability for a given system. Prefixing the path to web pages with "/file/" in the URL causes the file to be displayed without being parsed or compiled. For example if the URL for a file "login.jsp" is: http://site.running.weblogic/login.jsp then accessing http://site.running.weblogic/file/login.jsp would cause the unparsed contents of the file to show up in the web browser. Solution Workaround (The vendor recommends) Do not use the example configuration for the FileServlet in production situations. It is possible to view the source of a JSP/JHTML file in a browser if you do. For more information on the file servlet, see "Setting up the File Servlet" in the online documentation at: http://www.weblogic.com/docs51/admindocs/http.html#file The example registrations look like this: weblogic.httpd.register.file=weblogic.servlet.FileServlet weblogic.httpd.initArgs.file=defaultFilename=index.html weblogic.httpd.defaultServlet=file There are two ways to avoid this: * Register the file servlet with a name that uses a random string that will be difficult to guess. For example, the following registrations will register the file servlet as 12foo34: weblogic.httpd.register.12foo34=weblogic.servlet.FileServlet weblogic.httpd.initArgs.12foo34=defaultFilename=index.html weblogic.httpd.defaultServlet=12foo34 * Register the file servlet using wild cards representing all of the file extensions you will be serving. For example, the following registrations register the file servlet to serve .html files: weblogic.httpd.register.*.html=weblogic.servlet.FileServlet weblogic.httpd.initArgs.*.html=defaultFilename=index.html weblogic.httpd.defaultServlet=*.html Repeat the above registrations for all the file types you will be serving, for example, *.gif, *.jpg, *.pdf, *.txt, etc. Note: This information is documented in the BEA WebLogic Server and Express documentation at: http://www.weblogic.com/docs51/admindocs/lockdown.html Fix Contact the vendor. Credits We would also like to thank BEA Systems for their prompt and serious reaction to this problem. [Part 2, Text/HTML (charset: ISO-8859-1 "Latin 1") 361 lines] [Unable to print this part]