!!nao sei se isto esta valendo ainda para o WebLogic pois a noticia eh do dia 15 de junho.!! WebLogic exposes JSP source code Jun, 15 2000 - 11:48 BEA's WebLogic for NT suffers from a vulnerability that allows an attacker to view source code of Java Server Pages (JSP) and JHTML files. This vulnerability is very similar to the Source view vulnerability in Unify eWave ServletExec. They both deal with the means of bypassing the parser by using "unexpected" extensions. Vulnerable systems: BEA WebLogic 4.5.1 for Windows NT BEA WebLogic 4.0.4 for Windows NT BEA WebLogic 3.1.8 for Windows NT Immune systems: BEA WebLogic 5.1 for Windows NT BEA WebLogic 4.5.2 for Windows NT The problem lies with the way WebLogic assigns handlers to specific file types. For example, files with the extensions .jsp and .jhtml are registered as Java Server Pages or Java Servlet files in the WebLogic configuration "weblogic properties" which lies under the \weblogic directory. A sample out-of-the-box configuration file looks as follows: # ---Irrelevant part trimmed out--- # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # WEBLOGIC JHTML PROPERTIES # ------------------------------------------------ # Sets up automatic page compilation for JHTML. Adjust init # args for directory locations and uncomment to use. weblogic.httpd.register.*.jhtml=\ weblogic.servlet.jhtmlc.PageCompileServlet weblogic.httpd.initArgs.*.jhtml=\ pageCheckSeconds=1,\ packagePrefix=examples.jhtml,\ compileCommand=c:/java/bin/javac.exe,\ workingDir=d:/weblogic/myserver/classfiles,\ verbose=true # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # WEBLOGIC JSP PROPERTIES # ------------------------------------------------ # Sets up automatic page compilation for JSP. Adjust init # args for directory locations and uncomment to use. weblogic.httpd.register.*.jsp=\ weblogic.servlet.JSPServlet weblogic.httpd.initArgs.*.jsp=\ pageCheckSeconds=1,\ compileCommand=c:/java/bin/javac.exe,\ workingDir=d:/weblogic/myserver/classfiles,\ verbose=true We can observe that the extensions .jsp and .jhtml are assigned to be handled by the Java compiler. WebLogic, being case sensitive, interprets .jsp and .JSP to be two extensions. Same is the case with .jhtml and .JHTML. If a request for a .JSP file is made to WebLogic, it cannot find a handler for the .JSP extension and therefore it uses the default handler - which is of type "text". Since the underlying file system is Windows NT, it does not differentiate between upper case and lower case filenames, and hence the requested file ends up being served up as plain text without being parsed or interpreted. On WebLogic running on Unix servers, it flags a "File not Found" error. Proof of concept: Normally, JSP and JHTML file are referred to in URLs using lower case extensions. For example: http://www.example.com/login.jsp -or- http://www.example.com/index.jhtml By changing any letters in the extension (.jsp or .jhtml) to upper case, it is possible to obtain the unparsed source code of the JSP or JHTML file: http://www.example.com/login.JSP -or- http://www.example.com/index.JHTML Workaround: A cumbersome workaround to this problem would be to add handlers for the following file extensions in the configuration file: For .jsp files: .jsp .Jsp .jSp .jsP .JSp .jSP .JsP .JSP For .jhtml files: .jhtml .Jhtml .jHtml .jhTml .jhtMl .jhtmL .JHtml .JhTml .JhtMl .JhtmL .jHTml .jHtMl .jHtmL .jhTMl .jhTmL .jhtML .JHTml .JHtMl .JHtmL .JhTMl .JhTmL .JhtML .jHTMl .jHTmL .jHtML .jhTML .JHTMl .JHTmL .JhTML .jHTML .JHTML These extension cover all combinations of upper and lower case characters for .jsp and .jhtml. Fix: Check the following property in the weblogic.properties file: weblogic.httpd.servlet.extensionCaseSensitive In certain versions of BEA WebLogic Server, the default setting of this property is set to "false". For maximum security, as documented in the BEA security lockdown documentation at: http://www.weblogic.com/docs51/admindocs/properties.html http://www.weblogic.com/docs51/admindocs/lockdown.html Set weblogic.httpd.servlet.extensionCaseSensitive to "true", or add the following line to your Weblogic.properties file: weblogic.httpd.servlet.extensionCaseSensitive=true If you are using BEA WebLogic 3.1.8 you should apply the following patch: ftp://ftpna.beasys.com/pub/releases/318/caseSensitiveNTFix318.zip provided by: Saumil Shah. mailto:[EMAIL PROTECTED] _____________________________________________________________________________ Tamer Americo - Conselho Federal de Medicina - CFM [EMAIL PROTECTED] - ICQ#3221276 "When we are young / Wandering the face of the earth Wondering what our dreams might be worth / Learning that we're only immortal For a limited time" Dreamline - Rush ____________________________________________________________________________ _ --------------------------- LISTA SOUJAVA --------------------------- http://www.soujava.org.br - Sociedade de Usuários Java da Sucesu-SP [dúvidas mais comuns: http://www.soujava.org.br/faq.htm] [para sair da lista: http://www.soujava.org.br/forum/cadastrados.htm] [regras da lista: http://www.soujava.org.br/regras.htm] ---------------------------------------------------------------------
