WebLogic Displays Source Code
Reported July 28, 2000 by Foundstone

VERSIONS AFFECTED
  • BEA Systems WebLogic Enterprise 5.1.x
  • BEA Systems WebLogic Server Express 4.5.X and 5.1.x

    DESCRIPTION

    WebLogic can be caused to display source code by using specific syntax to invoke the SSIServlet or FileServlet applications, which ship as part of the platform.

    DEMONSTRATION

    If a site has a URL, such as that shown in Figure 1 then its source can be displayed by using the URL as seen in Figure 2:

    Figure 1: http://site.running.weblogic/login.jsp

    Figure 2: http://site.running.weblogic/*.shtml/login.jsp

    In addition, by prefixing a URL with the /ConsoleHelp/ path, a file's source code will be displayed. For example, the source code within a file at the URL seen in Figure 3 can be viewed by accessing it via the modified URL seen in Figure 4:

    Figure 3: http://site.running.weblogic/login.jsp

    Figure 4: http://site.running.weblogic/ConsoleHelp/login.jsp

    VENDOR RESPONSE

    BEA System released a patch for the problem, available by contacting their support staff.

    CREDIT
    Discovered by Foundstone