--------------------------------------------------------------------

Title: Bea Weblogic incorrect URL parsing issues

BUG-ID: 2002016
Released: 30th Apr 2002
--------------------------------------------------------------------

Problem:
========
The Bea Weblogic server incorrectly parses certain types of URL
requests. This can result in the physical path being revealed,
a Denial of Service situation and revealing of .jsp sourcecode.


Vulnerable:
===========
- Bea Weblogic V6.1 Service Pack 2 on Windows 2000 Server
- Other versions were not tested.


Details:
========
A problem with the URL parser in Bea Weblogic could allow a
malicious user to reveal the physical path to the web root,
cause a Denial of Service and reveal the sourcecode of .jsp files.

Physical webroot)
By appending %00.jsp to a normal .html request, a compiler error
would in some cases be generated that would print out the path
to the physical web root. A similar result can be achieved by
prefixing with %5c (backslash):


Denial of Service)
This issue is very similar to the one reported in KPMG-2002003, in which
we published that requesting a DOS device and appending .jsp to the
request would exhaust the working threads and cause the web service to
stop parsing HTTP and HTTPS requests.

If a malicious user also added %00 in the request, it would still work.

The server can handle about 10-11 working threads, so when this
number of active threads has been reached, the server will no
longer service any requests. Since both HTTP and HTTPS are handled
by the same module, both are crippled if one is attacked.


Sourcecode revealed)
There are a number of ways to manipulate the URL in a way that will
allow a malicious user to read the contents of a .jsp file.
One way is to append "%00x" to the request, another could be to add
"+." to the request (exclamation marks excluded).



Vendor URL:
===========
You can visit the vendors webpage here: http://www.bea.com


Vendor response:
================
The vendor was contacted about the first issue on the 6th of
November, 2001 and subsequently on the 12th of March, 2002 and
finally on the 22nd of March, 2002 about the remainding issues.
On the 25th of March, 2002 we received a private hotfix, which
corrected the issues. On the 22nd of April, 2002 the vendor
released a public bulletin.

The vendors bulletin can be seen here: (note that the url has
been wrapped for readability)

http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?
highlight=advisoriesnotifications&path=components/dev2dev/
resourcelibrary/advisoriesnotifications/
securityadvisoriesbea020303.htm

Be sure you read the vendor bulletin, as it suggests other
security settings that might prevent future similar issues.


Corrective action:
==================
The following has been copied from the vendor bulletin:

"BEA WebLogic Server and Express version 6.1 standalone
 or as part of BEA WebLogic Enterprise 6.1 on all OS platforms
 Action: Apply Service Pack 2 and then apply this patch:

 ftp://ftpna.bea.com/pub/releases/security/CR069809_610sp2_v2.jar

 When Service Pack 3 becomes available, you can use that jar
 instead of Service Pack 2 and this patch.


 BEA WebLogic Server and Express version 6.0 standalone
 or as part of BEA WebLogic Enterprise 6.0 on all OS platforms
 Action: Apply Service Pack 2 with Rolling Patch 3 and then
 apply this patch:

 ftp://ftpna.bea.com/pub/releases/security/CR069809_60sp2rp3.jar


 BEA WebLogic Server and Express version 5.1 standalone
 or as part of BEA WebLogic Enterprise 5.1.x on all OS platforms
 Action: Apply Service Pack 11 and then apply this patch:

 ftp://ftpna.bea.com/pub/releases/security/CR069809_510sp11_v2.jar

 When Service Pack 12 becomes available, you can use that jar
 instead of Service Pack 11 and this patch.


 BEA WebLogic Server and Express 4.5.2 on all OS platforms
 Action: Apply Service Pack 2 and then apply this patch:

 ftp://ftpna.bea.com/pub/releases/security/CR045420_wls452sp2.zip


 BEA WebLogic Server and Express 4.5.1 on all OS platforms
 Action: Apply Service Pack 15."



Author: Peter Gründl (pgrundl@kpmg.dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------