BEA WebLogic source code exposure Vulnerability

Involved procedures:
BEA WebLogic Server and Express 5.1.x/4.5x/4.0x/3.1.8

Description:
BEA WebLogic source code exposure Vulnerability

Details:
Affected Versions
All systems
BEA WebLogic Enterprise 5.1.x
BEA WebLogic Server and Express 5.1.x
BEA WebLogic Server and Express 4.5.x
BEA WebLogic Server and Express 4.0.x
BEA WebLogic Server and Express 3.1.8

This vulnerability allows attackers to read the source code of all files in the Web directory.
WebLogic depends on four major Java Servlets to serve different types of files. These servlets are:

FileServlet-for simple HTML page
SSIServlet-for Server Side supported des page
PageCompileServlet-for JHTML page
JSPServlet-for Java Server Page

Looking at the weblogic. properties file, here is the registration value of each servlets:

Weblogic. httpd. register. file = weblogic. servlet. FileServlet
Weblogic. httpd. register. *. shtml = weblogic. servlet. serversidemo-deservlet
Weblogic. httpd. register. *. jhtml = weblogic. servlet. jhtmlc. PageCompileServlet
Weblogic. httpd. register. *. jsp = weblogic. servlet. JSPServlet

For more weblogic. properties files, if a request file is not registered for management, a default servlet will be called. The following shows how the default servlet is registered.

# Default servlet registration
#------------------------------------------------
# Virtual name of the default servlet if no matching servlet
# Is found weblogic. httpd. defaultServlet = file

Therefore, if the file path in the URL starts with "/file/", WebLogic will call the default servlet, which will directly display the webpage without analysis and compilation.

Argument:
If you add "/file/" to the original URL path of the file you want to view, the file will be directly exposed without analysis and compilation. For example:

Http://site.running.weblogic/login.jsp

As long as you access

Http://site.running.weblogic/file/login.jsp

The file content is displayed in the WEB browser.

Use the following methods:
1. Force SSIServlet to view unanalyzed pages:
----------------------------------------------------------
The server site uses the SSIServlet processing page in WebLogic. It registers the following information in the weblogic. properties file:

Weblogic. httpd. register. *. shtml =
Weblogic. servlet. serversidemo-deservlet

Use SSIServlet to automatically process wildcards (*) through URLs (*). Therefore, if the file path starts with/*. shtml/, the file is forced to be processed by SSIServlet. If other file types such as. jsp and. jhtml are used, you can view unanalyzed jsp and jhtml code. Example:
Http://www.xxx.com/developer.shtmllogin.jsp

2. Use FileServlet forcibly to view the page that has not been analyzed:
-----------------------------------------------------------
WebLogic uses FileServlet to configure the ConsoleHelp servlet. You can see the following content in the weblogic. properties file:

# For Console help. Do not modify.
Weblogic. httpd. register. ConsoleHelp =
Weblogic. servlet. FileServlet
Weblogic. httpd. initArgs. ConsoleHelp =
DefaultFilename =/weblogic/admin/help/NoContent.html
Weblogic.allow.exe cute. weblogic. servlet. ConsoleHelp = everyone

Therefore, if the file path starts with/ConsoleHelp/, WebLogic will use FileServlet to display unanalyzed or compiled files as pages. For example:
Http://www.xxx.com/ConsoleHelp/login.jsp

Solution:
Do not use the setting method in the example to set FileServlet. This may expose the source code of your JSP/JHTML file. Please refer to the online documentation:

Http://www.weblogic.com/docs51/admindocs/http.html#file

The registrations example is as follows:

Weblogic. httpd. register. file = weblogic. servlet. FileServlet
Weblogic.httpd.initArgs.file=defaultFilename=index.html
Weblogic. httpd. defaultServlet = file

There are two ways to avoid this problem:

* Registering the File servlet with a random user name makes it easier to guess. For example, use the following method to register a file: servlet is 12foo34:

Weblogic. httpd. register.12foo34 = weblogic. servlet. FileServlet
Weblogic.httpd.initargs.12foo34?defafilename=index.html
Weblogic. httpd. defaultServlet = 12foo34

* The registration File servlet uses wild cards to declare that you will use all these file extensions for service. For example, register a File servlet as A. html file service:

Weblogic. httpd. register. *. html = weblogic. servlet. FileServlet
Weblogic. httpd. initArgs. * .html?defafilename=index.html
Weblogic. httpd. defaultServlet = *. html

Repeat the following types of files: *. gif, *. jpg, *. pdf, *. txt, etc.

Note: This information is provided in the Instructions on BEA WebLogic Server and Express:

Http://www.weblogic.com/docs51/admindocs/lockdown.html

Also, pay attention to the new version and upgrade it.