exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

bea.urlparse.txt

bea.urlparse.txt
Posted May 1, 2002
Authored by Peter Grundl

The Bea Weblogic server v4.1 sp2 on Windows 2000 incorrectly parses certain types of URL requests, resulting in the physical path being revealed, a Denial of Service situation and revealing of .jsp sourcecode.

tags | denial of service
systems | windows
SHA-256 | 5238686bc453229b4aceceb879e2d11abd43881bf84eafdc99cb6eaafadf1cac

bea.urlparse.txt

Change Mirror Download
--------------------------------------------------------------------

Title: Bea Weblogic incorrect URL parsing issues

BUG-ID: 2002016
Released: 30th Apr 2002
--------------------------------------------------------------------

Problem:
========
The Bea Weblogic server incorrectly parses certain types of URL
requests. This can result in the physical path being revealed,
a Denial of Service situation and revealing of .jsp sourcecode.


Vulnerable:
===========
- Bea Weblogic V6.1 Service Pack 2 on Windows 2000 Server
- Other versions were not tested.


Details:
========
A problem with the URL parser in Bea Weblogic could allow a
malicious user to reveal the physical path to the web root,
cause a Denial of Service and reveal the sourcecode of .jsp files.

Physical webroot)
By appending %00.jsp to a normal .html request, a compiler error
would in some cases be generated that would print out the path
to the physical web root. A similar result can be achieved by
prefixing with %5c (backslash):


Denial of Service)
This issue is very similar to the one reported in KPMG-2002003, in which
we published that requesting a DOS device and appending .jsp to the
request would exhaust the working threads and cause the web service to
stop parsing HTTP and HTTPS requests.

If a malicious user also added %00 in the request, it would still work.

The server can handle about 10-11 working threads, so when this
number of active threads has been reached, the server will no
longer service any requests. Since both HTTP and HTTPS are handled
by the same module, both are crippled if one is attacked.


Sourcecode revealed)
There are a number of ways to manipulate the URL in a way that will
allow a malicious user to read the contents of a .jsp file.
One way is to append "%00x" to the request, another could be to add
"+." to the request (exclamation marks excluded).



Vendor URL:
===========
You can visit the vendors webpage here: http://www.bea.com


Vendor response:
================
The vendor was contacted about the first issue on the 6th of
November, 2001 and subsequently on the 12th of March, 2002 and
finally on the 22nd of March, 2002 about the remainding issues.
On the 25th of March, 2002 we received a private hotfix, which
corrected the issues. On the 22nd of April, 2002 the vendor
released a public bulletin.

The vendors bulletin can be seen here: (note that the url has
been wrapped for readability)

http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?
highlight=advisoriesnotifications&path=components/dev2dev/
resourcelibrary/advisoriesnotifications/
securityadvisoriesbea020303.htm

Be sure you read the vendor bulletin, as it suggests other
security settings that might prevent future similar issues.


Corrective action:
==================
The following has been copied from the vendor bulletin:

"BEA WebLogic Server and Express version 6.1 standalone
or as part of BEA WebLogic Enterprise 6.1 on all OS platforms
Action: Apply Service Pack 2 and then apply this patch:

ftp://ftpna.bea.com/pub/releases/security/CR069809_610sp2_v2.jar

When Service Pack 3 becomes available, you can use that jar
instead of Service Pack 2 and this patch.


BEA WebLogic Server and Express version 6.0 standalone
or as part of BEA WebLogic Enterprise 6.0 on all OS platforms
Action: Apply Service Pack 2 with Rolling Patch 3 and then
apply this patch:

ftp://ftpna.bea.com/pub/releases/security/CR069809_60sp2rp3.jar


BEA WebLogic Server and Express version 5.1 standalone
or as part of BEA WebLogic Enterprise 5.1.x on all OS platforms
Action: Apply Service Pack 11 and then apply this patch:

ftp://ftpna.bea.com/pub/releases/security/CR069809_510sp11_v2.jar

When Service Pack 12 becomes available, you can use that jar
instead of Service Pack 11 and this patch.


BEA WebLogic Server and Express 4.5.2 on all OS platforms
Action: Apply Service Pack 2 and then apply this patch:

ftp://ftpna.bea.com/pub/releases/security/CR045420_wls452sp2.zip


BEA WebLogic Server and Express 4.5.1 on all OS platforms
Action: Apply Service Pack 15."



Author: Peter Gründl (pgrundl@kpmg.dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close