Multiple Vulnerabilities in BEA Weblogic

Reported April 29, 2002, by Peter Gründl.

VERSION AFFECTED

• BEA WebLogic 6.1 Service Pack 2 (SP2) for Windows 2000

DESCRIPTION

Multiple vulnerabilities exist in BEA WebLogic 6.1 SP2 for Windows 2000. A problem with the URL parser in Bea WebLogic could let an attacker reveal the physical path to the Web root, cause a Denial of Service (DoS) attack, or reveal the source code of .jsp files.

• By appending %00.jsp to a normal .html request, an attacker can in some cases generate a compiler error that prints out the path to the physical Web root.

• By requesting a DOS device and appending .jsp to the request, an attacker can exhaust working threads, which will cause the Web service to stop parsing HTTP and HTTP over Secure Sockets Layer (HTTPS) requests.

• An attacker can use several methods to manipulate the URL in a way that will let the attacker read the contents of a .jsp file. For example, a malicious user can append "%00x" or "+." (exclamation marks excluded) to a request for a .jsp file and read the contents of the .jsp file.

VENDOR RESPONSE

The vendor, BEA, has released a patch that resolves these vulnerabilities.

CREDIT
Discovered by Peter Gründl.