Security Advisories and Notifications


Security Advisory: (BEA00-02.00)

From: Oracle Corporation

Minor Subject: Security Configuration Advisory - BEA WebLogic Server and Express

Product(s) Affected: BEA WebLogic Server and Express

It has come to our attention that there is a common misconfiguration that has the potential to lead to a security vulnerability in certain versions of BEA WebLogic Server and Express on all platforms. BEA treats such possibilities with the highest degree of urgency and does everything possible to ensure the security of all customer assets. As a result, we strongly suggest the following actions:

      I. Read the following advisory.

      II. If you know of any additional users interested in future security advisories, please forward them the registration instructions below.


I. ADVISORY

Last week, Foundstone, Inc., ( www.foundstone.com) a security consulting and training firm, reported the following common misconfiguration in BEA WebLogic Server and Express:

It is possible to view the source of a JSP/jHTML file in a browser if you use the example registration for the file servlet as provided in the example weblogic.properties file that is shipped with your BEA WebLogic Server distribution.

The following BEA WebLogic Server and Express releases are affected by this behavior:
  • Version: BEA WebLogic Server and Express 5.1.x
  • Version: BEA WebLogic Server and Express 4.5.x
  • Version: BEA WebLogic Server and Express 4.0.x
  • Version: BEA WebLogic Server and Express 3.1.8
Note: No currently available versions of BEA WebLogic Enterprise are affected.


CAUSE

The is due to the fact that we register FileServlet under virtual name "file" in the weblogic.properties file shipped with the product. Currently, there is one directory (commonly known as document root) for serving static content (HTML files, images, etc.) and dynamic content (JSP, jHTML, etc.). Hence, a URL such as http://www.bea.com/file/my.jsp will be handled by the FileServlet. The FileServlet will take the string after its virtual name (../../my.jsp), append it to the document root and serve the file as is. This will lead to exposing JSP/jHTML code in the browser.


II. SUGGESTED ACTION

Do not use the example configuration for the FileServlet in production situations. It is possible to view the source of a JSP/jHTML file in a browser if you do. For more information on the file servlet, see " Setting up the File Servlet" in the online documentation.

The example registrations look like this:

weblogic.httpd.register.file=weblogic.servlet.FileServlet

weblogic.httpd.initArgs.file=defaultFilename=index.html

weblogic.httpd.defaultServlet=file

There are two ways to avoid this:

METHOD ONE

  • Register the file servlet using wild cards representing all of the file extensions you will be serving. For example, the following registrations register the file servlet to serve .html files:

    weblogic.httpd.register.*.html=weblogic.servlet.FileServlet

    weblogic.httpd.initArgs.*.html=defaultFilename=index.html

    weblogic.httpd.defaultServlet=*.html

METHOD TWO

  • Register the file servlet using wild cards representing all of the file extensions you will be serving. For example, the following registrations register the file servlet to serve .html files:

    weblogic.httpd.register.*.html=weblogic.servlet.FileServlet

    weblogic.httpd.initArgs.*.html=defaultFilename=index.html

    weblogic.httpd.defaultServlet=*.html
Note: This information is documented in the BEA WebLogic Server and Express documentation. We strongly encourage you to review this document so that you can be assured that your server deployment is securely configured.


SECURITY COMMUNICATIONS

Oracle strongly suggests that customers apply the remedies recommended in all our security advisories. Oracle also urges customers to apply every Service/Maintenance Pack as they are released. Service/Maintenance Packs include a roll-up of all bug fixes for each version of the product, as well as each of the prior Service/Maintenance Packs. Service/Maintenance Packs and information about them can be found at: http://www.oracle.com/technology/software/products/ias/bea_main.html

Note: Information about securing WebLogic Server and WebLogic Express can be found at http://edocs.bea.com/wls/docs103/security.html. Specific lockdown information is provided at http://e-docs.bea.com/wls/docs103/lockdown/index.html. We strongly encourage you to review this documentation to ensure your server deployment is securely configured.

As a policy, if there are any security-related issues with any Oracle product, Oracle will distribute an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security-related issues clearly and openly.

All previous advisories can be viewed at: http://www.oracle.com/technology/deploy/security/wls-security.

Additional users who wish to register for product advisory distribution should follow the registration directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Security issues can be reported to Oracle by following the directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Thank you,
Oracle Corporation