======================================================================
Defcom Labs Advisory def-2001-14
Bea Weblogic Unicode Directory Browsing
Author: Peter Gründl <[EMAIL PROTECTED]>
Release Date: 2001-03-26
======================================================================
------------------------=[Brief Description]=-------------------------
The Bea Weblogic server contains a flaw that allows directory browsing
even if the directories contain default documents.
------------------------=[Affected Systems]=--------------------------
- Bea Weblogic Server 6.0 for Windows NT/2000
----------------------=[Detailed Description]=------------------------
By requesting a URL and ending it with one of the following unicode
representations: %00, %2e, %2f or %5c, it is possible to bypass the
listing of the default document (eg. index.html) and browse the
content of the web folders.
Examples:
http://www.foo.org/%00/
http://www.foo.org/images/%2e/
http://www.foo.org/passwords/%2f/
http://www.foo.org/creditcard/%5c/
The four unicode representations translate to "null", ".", "/" and "\"
---------------------------=[Workaround]=-----------------------------
Download and install Weblogic 6.0 with Service Pack 1:
http://commerce.bea.com/downloads/weblogic_server.jsp#wls
-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 22nd of
February, 2001 and a workaround was received on the 6th of March 2001.
======================================================================
This release was brought to you by Defcom Labs
[EMAIL PROTECTED] www.defcom.com
======================================================================
