Weblogic Exposes File Contents
Reported June 21 by Foundstone

VERSIONS AFFECTED
BEA WebLogic Server and Express 5.1.x
  • BEA WebLogic Server and Express 4.5.x
  • BEA WebLogic Server and Express 4.0.x
  • BEA WebLogic Server and Express 3.1.8
  • DESCRIPTION

    Due to an improperly exposed directory, Weblogic allows the contents of any file within the Web root directory to be shown in clear text.

    DEMONSTRATION

    If the URL for a file "login.jsp" is:

    http://site.running.weblogic/login.jsp

    then accessing

    http://site.running.weblogic/file/login.jsp

    would cause the unparsed contents of the file to show up in the web browser.

    VENDOR RESPONSE

    Foundstone issued a bulletin with the following workaround recommendations:

    Do not use the example configuration for the FileServlet in production situations. It is possible to view the source of a JSP/JHTML file in a browser if you do. For more information on the file servlet, see "Setting up the File Servlet" in the online documentation at: http://www.weblogic.com/docs51/admindocs/http.html#file

    The example registrations look like this: weblogic.httpd.register.file=weblogic.servlet.FileServlet weblogic.httpd.initArgs.file=defaultFilename=index.html weblogic.httpd.defaultServlet=file

    There are two ways to avoid this:

    * Register the file servlet with a name that uses a random string that will be difficult to guess. For example, the following registrations will register the file servlet as 12foo34:

    weblogic.httpd.register.12foo34=weblogic.servlet.FileServlet weblogic.httpd.initArgs.12foo34=defaultFilename=index.html weblogic.httpd.defaultServlet=12foo34

    * Register the file servlet using wild cards representing all of the file extensions you will be serving. For example, the following registrations register the file servlet to serve .html files:

    weblogic.httpd.register.*.html=weblogic.servlet.FileServlet weblogic.httpd.initArgs.*.html=defaultFilename=index.html weblogic.httpd.defaultServlet=*.html

    Repeat the above registrations for all the file types you will be serving, for example, *.gif, *.jpg, *.pdf, *.txt, etc. Note:

    This information is documented in the BEA WebLogic Server and Express documentation at:
    http://www.weblogic.com/docs51/admindocs/lockdown.html

    CREDITS
    Discovered and reported by Foundstone