====================================================================== Defcom Labs Advisory def-2000-04 Bea WebLogic Server dotdot-overflow Author: Peter Gründl Release Date: 2000-12-19 ====================================================================== ------------------------=[Brief Description]=------------------------- It is possible to trigger a race condition that can result in the stack and registers being partially overwritten. ------------------------=[Affected Systems]=-------------------------- Bea WebLogic Server for Windows NT prior to V5.1.0 - Service Pack 7 ----------------------=[Detailed Description]=------------------------ WebLogic Server has a specific handler for URL requests that start with "dotdot". By sending a large URL (..aaaaaaaaaaaaaaaaaaxlots more) and disconnecting, it is possible to trigger a buffer overflow. The result can be anywhere from crashing the web server, to executing arbitrary code on the server with the privileges of the web server (which usually means LocalSystem). ---------------------------=[Workaround]=----------------------------- Upgrade to Bea Weblogic 5.1.0, Service Pack 7: http://commerce.beasys.com/downloads/weblogic_server.jsp -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendor's attention on the 20th of November, and notification of a fix was received by Defcom on the 19th of December. ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com www.defcom.com ======================================================================