> ------------------------=[Affected Systems]=-------------------------- > - Bea Weblogic Server 6.0 for Windows NT/2000 > - It appears that versions prior to 6.0 might also be vulnerable! > They are indeed - I turned directory listing back on and was able to reproduce the originally described effect in 4.5.1 and 5.1. > > It should be noted that this will not fix the issue with revealing jsp > sourcecode that Adam Boileau reported to Bugtraq in response to the > original posting of this advisory! To expand somewhat, after some further work: Appending a '%00' to the end of a .jsp request retrieves the source of the jsp. I have reproduced this on WL 4.5.1 SP11 and SP13 in both cluster and standalone configurations. I have also reproduced it with 5.1 SP6 and SP3, all in a Solaris environment. The negative result that I initially got with SP11 turned out to be quite interesting - it occurs only when passed through libproxy.so 4.5.1 SP7. Testing directly against the weblogic server, the %00 trick works. When proxied (in my case, through Netscape Enterprise Server) via solaris/libproxy.so 4.5.1 SP8, SP9, SP11, SP11(with fix), and SP13, it also works. When proxied through 4.5.1 SP7, it does not. I dont have any versions earlier than SP7 to try - results would be interesting if anyone does. This gives people in my position a workaround until BEA come up with a fix - running an old version of libproxy.so. I've done no testing of WLS on NT - you're on your own. I have notified BEA (they released an advisory in response to the Defcom Labs directory listing vuln today, but nothing about my little observation) today, shorter notice than RFP would like[1], but given that the cat is already out of the bag, I figured it was better to let people know as soon as possible. Regards, Adam ------------- Adam Boileau Security Consultant Auckland, New Zealand [1] But then again, he wears gold lame[2] pants, so who are we to take him seriously ;) [2] That's "lah-may" not "lame" :)
