From: BEA Systems Inc.
Minor Subject: Security Configuration Advisory - BEA WebLogic Server and Express
Product(s) Affected: BEA WebLogic Server and Express
It has come to our attention that there is a common misconfiguration that has the potential to lead to a security vulnerability in certain versions of BEA WebLogic Server and Express on all platforms. BEA treats such possibilities with the highest degree of urgency and does everything possible to ensure the security of all customer assets. As a result, we strongly suggest the following actions:
I. Read the following advisory.
II. If you know of any additional users interested in future security advisories, please forward them the registration instructions below.
I. ADVISORY
Last week, Foundstone, Inc., ( www.foundstone.com) a security consulting and training firm, reported the following common misconfiguration in BEA WebLogic Server and Express:
It is possible to view the source of a JSP/jHTML file in a browser if you use the example registration for the file servlet as provided in the example weblogic.properties file that is shipped with your BEA WebLogic Server distribution.
The following BEA WebLogic Server and Express releases are affected by this behavior:
- Version: BEA WebLogic Server and Express 5.1.x
- Version: BEA WebLogic Server and Express 4.5.x
- Version: BEA WebLogic Server and Express 4.0.x
- Version: BEA WebLogic Server and Express 3.1.8
CAUSE
The is due to the fact that we register FileServlet under virtual name "file" in the weblogic.properties file shipped with the product. Currently, there is one directory (commonly known as document root) for serving static content (HTML files, images, etc.) and dynamic content (JSP, jHTML, etc.). Hence, a URL such as http://www.bea.com/file/my.jsp will be handled by the FileServlet. The FileServlet will take the string after its virtual name (../../my.jsp), append it to the document root and serve the file as is. This will lead to exposing JSP/jHTML code in the browser.
II. SUGGESTED ACTION
Do not use the example configuration for the FileServlet in production situations. It is possible to view the source of a JSP/jHTML file in a browser if you do. For more information on the file servlet, see " Setting up the File Servlet" in the online documentation.
The example registrations look like this:
weblogic.httpd.register.file=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.file=defaultFilename=index.html
weblogic.httpd.defaultServlet=file
There are two ways to avoid this:
METHOD ONE
- Register the file servlet using wild cards representing all of the file extensions you will be serving. For example, the following registrations register the file servlet to serve .html files:
weblogic.httpd.register.*.html=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.*.html=defaultFilename=index.html
weblogic.httpd.defaultServlet=*.html
METHOD TWO
- Register the file servlet using wild cards representing all of the file extensions you will be serving. For example, the following registrations register the file servlet to serve .html files:
weblogic.httpd.register.*.html=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.*.html=defaultFilename=index.html
weblogic.httpd.defaultServlet=*.html
III. FUTURE SECURITY COMMUNICATIONS
As a policy, if there are any security-related issues with any BEA product, BEA will distribute an alert and instructions with the appropriate course of action. Because the security of your site, data, and code are our highest priority, we feel strongly that all security related issues are clearly and openly communicated. We encourage you, or those responsible for security related issues at your site to register with us so we can directly communicate future advisories.
All previous advisories can be viewed at http://dev2dev.bea.com/advisoriesnotifications/.
BEA has established a new, permission-based emailing list specifically targeted for product security advisories. As a policy, if a user has opted-in to our emailing list and there are any security issues with the BEA product(s) he/she is using, BEA will distribute an advisory and instructions via email with the appropriate course of action.
You have received this message because you have opted in for BEA WebLogic Security Advisories. Thank you for registering with us.
IN ORDER TO MAKE SURE THAT WE HAVE THE APPROPRIATE CONTACT INFORMATION FOR SECURITY RELATED ISSUES, PLEASE REGISTER AT THE FOLLOWING URL:
http://contact2.bea.com/bea/www/advisories/login.jsp
If you have any questions or care to verify the authenticity of this message, please contact BEA Technical Support.
Printer View