what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

bea.urlparse.txt

bea.urlparse.txt
Posted May 1, 2002
Authored by Peter Grundl

The Bea Weblogic server v4.1 sp2 on Windows 2000 incorrectly parses certain types of URL requests, resulting in the physical path being revealed, a Denial of Service situation and revealing of .jsp sourcecode.

tags | denial of service
systems | windows
SHA-256 | 5238686bc453229b4aceceb879e2d11abd43881bf84eafdc99cb6eaafadf1cac

bea.urlparse.txt

Change Mirror Download
--------------------------------------------------------------------

Title: Bea Weblogic incorrect URL parsing issues

BUG-ID: 2002016
Released: 30th Apr 2002
--------------------------------------------------------------------

Problem:
========
The Bea Weblogic server incorrectly parses certain types of URL
requests. This can result in the physical path being revealed,
a Denial of Service situation and revealing of .jsp sourcecode.


Vulnerable:
===========
- Bea Weblogic V6.1 Service Pack 2 on Windows 2000 Server
- Other versions were not tested.


Details:
========
A problem with the URL parser in Bea Weblogic could allow a
malicious user to reveal the physical path to the web root,
cause a Denial of Service and reveal the sourcecode of .jsp files.

Physical webroot)
By appending %00.jsp to a normal .html request, a compiler error
would in some cases be generated that would print out the path
to the physical web root. A similar result can be achieved by
prefixing with %5c (backslash):


Denial of Service)
This issue is very similar to the one reported in KPMG-2002003, in which
we published that requesting a DOS device and appending .jsp to the
request would exhaust the working threads and cause the web service to
stop parsing HTTP and HTTPS requests.

If a malicious user also added %00 in the request, it would still work.

The server can handle about 10-11 working threads, so when this
number of active threads has been reached, the server will no
longer service any requests. Since both HTTP and HTTPS are handled
by the same module, both are crippled if one is attacked.


Sourcecode revealed)
There are a number of ways to manipulate the URL in a way that will
allow a malicious user to read the contents of a .jsp file.
One way is to append "%00x" to the request, another could be to add
"+." to the request (exclamation marks excluded).



Vendor URL:
===========
You can visit the vendors webpage here: https://www.bea.com


Vendor response:
================
The vendor was contacted about the first issue on the 6th of
November, 2001 and subsequently on the 12th of March, 2002 and
finally on the 22nd of March, 2002 about the remainding issues.
On the 25th of March, 2002 we received a private hotfix, which
corrected the issues. On the 22nd of April, 2002 the vendor
released a public bulletin.

The vendors bulletin can be seen here: (note that the url has
been wrapped for readability)

https://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?
highlight=advisoriesnotifications&path=components/dev2dev/
resourcelibrary/advisoriesnotifications/
securityadvisoriesbea020303.htm

Be sure you read the vendor bulletin, as it suggests other
security settings that might prevent future similar issues.


Corrective action:
==================
The following has been copied from the vendor bulletin:

"BEA WebLogic Server and Express version 6.1 standalone
or as part of BEA WebLogic Enterprise 6.1 on all OS platforms
Action: Apply Service Pack 2 and then apply this patch:

ftp://ftpna.bea.com/pub/releases/security/CR069809_610sp2_v2.jar

When Service Pack 3 becomes available, you can use that jar
instead of Service Pack 2 and this patch.


BEA WebLogic Server and Express version 6.0 standalone
or as part of BEA WebLogic Enterprise 6.0 on all OS platforms
Action: Apply Service Pack 2 with Rolling Patch 3 and then
apply this patch:

ftp://ftpna.bea.com/pub/releases/security/CR069809_60sp2rp3.jar


BEA WebLogic Server and Express version 5.1 standalone
or as part of BEA WebLogic Enterprise 5.1.x on all OS platforms
Action: Apply Service Pack 11 and then apply this patch:

ftp://ftpna.bea.com/pub/releases/security/CR069809_510sp11_v2.jar

When Service Pack 12 becomes available, you can use that jar
instead of Service Pack 11 and this patch.


BEA WebLogic Server and Express 4.5.2 on all OS platforms
Action: Apply Service Pack 2 and then apply this patch:

ftp://ftpna.bea.com/pub/releases/security/CR045420_wls452sp2.zip


BEA WebLogic Server and Express 4.5.1 on all OS platforms
Action: Apply Service Pack 15."



Author: Peter Gründl (pgrundl@kpmg.dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close