-------------------------------------------------------------------- Title: Bea Weblogic incorrect URL parsing issues BUG-ID: 2002016 Released: 30th Apr 2002 -------------------------------------------------------------------- Problem: ======== The Bea Weblogic server incorrectly parses certain types of URL requests. This can result in the physical path being revealed, a Denial of Service situation and revealing of .jsp sourcecode. Vulnerable: =========== - Bea Weblogic V6.1 Service Pack 2 on Windows 2000 Server - Other versions were not tested. Details: ======== A problem with the URL parser in Bea Weblogic could allow a malicious user to reveal the physical path to the web root, cause a Denial of Service and reveal the sourcecode of .jsp files. Physical webroot) By appending %00.jsp to a normal .html request, a compiler error would in some cases be generated that would print out the path to the physical web root. A similar result can be achieved by prefixing with %5c (backslash): Denial of Service) This issue is very similar to the one reported in KPMG-2002003, in which we published that requesting a DOS device and appending .jsp to the request would exhaust the working threads and cause the web service to stop parsing HTTP and HTTPS requests. If a malicious user also added %00 in the request, it would still work. The server can handle about 10-11 working threads, so when this number of active threads has been reached, the server will no longer service any requests. Since both HTTP and HTTPS are handled by the same module, both are crippled if one is attacked. Sourcecode revealed) There are a number of ways to manipulate the URL in a way that will allow a malicious user to read the contents of a .jsp file. One way is to append "%00x" to the request, another could be to add "+." to the request (exclamation marks excluded). Vendor URL: =========== You can visit the vendors webpage here: http://www.bea.com Vendor response: ================ The vendor was contacted about the first issue on the 6th of November, 2001 and subsequently on the 12th of March, 2002 and finally on the 22nd of March, 2002 about the remainding issues. On the 25th of March, 2002 we received a private hotfix, which corrected the issues. On the 22nd of April, 2002 the vendor released a public bulletin. The vendors bulletin can be seen here: (note that the url has been wrapped for readability) http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp? highlight=advisoriesnotifications&path=components/dev2dev/ resourcelibrary/advisoriesnotifications/ securityadvisoriesbea020303.htm Be sure you read the vendor bulletin, as it suggests other security settings that might prevent future similar issues. Corrective action: ================== The following has been copied from the vendor bulletin: "BEA WebLogic Server and Express version 6.1 standalone or as part of BEA WebLogic Enterprise 6.1 on all OS platforms Action: Apply Service Pack 2 and then apply this patch: ftp://ftpna.bea.com/pub/releases/security/CR069809_610sp2_v2.jar When Service Pack 3 becomes available, you can use that jar instead of Service Pack 2 and this patch. BEA WebLogic Server and Express version 6.0 standalone or as part of BEA WebLogic Enterprise 6.0 on all OS platforms Action: Apply Service Pack 2 with Rolling Patch 3 and then apply this patch: ftp://ftpna.bea.com/pub/releases/security/CR069809_60sp2rp3.jar BEA WebLogic Server and Express version 5.1 standalone or as part of BEA WebLogic Enterprise 5.1.x on all OS platforms Action: Apply Service Pack 11 and then apply this patch: ftp://ftpna.bea.com/pub/releases/security/CR069809_510sp11_v2.jar When Service Pack 12 becomes available, you can use that jar instead of Service Pack 11 and this patch. BEA WebLogic Server and Express 4.5.2 on all OS platforms Action: Apply Service Pack 2 and then apply this patch: ftp://ftpna.bea.com/pub/releases/security/CR045420_wls452sp2.zip BEA WebLogic Server and Express 4.5.1 on all OS platforms Action: Apply Service Pack 15." Author: Peter Gründl (pgrundl@kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. --------------------------------------------------------------------