Signature Detail

HTTP: Weblogic Malformed URL Reveal JSP Source

This signature detects attempts to exploit a known vulnerability in Bea Weblogic. Version V6.1 Service Pack 2 on Windows 2000 Server is vulnerable. Attackers can append the string "%00x" to a URL request to read the contents of a .jsp file.

Extended Description

Many webservers are case-sensitive, but do not have all possible combinations of cases in mapped extensions mapped properly. By changing the letters in a JSP or a JHTML file extension from lower case to upper case (eg: .jsp or .jhtml becomes .JSP or .JHTML) in a URL the server does not recognize the file extension and sends the file normally. In that manner, a user is able to access the source code to those specific files.

Affected Products

• BEA Systems Weblogic 3.1.8
• BEA Systems Weblogic 4.0.4
• BEA Systems Weblogic Server 3.1.8
• BEA Systems Weblogic Server 4.5.1
• IBM Websphere Application Server 3.0.2 .1
• Unify eWave ServletExec 3.0.0

References

• BugTraq: 1328
• CVE: CVE-2000-0499
• URL: http://www.securityfocus.com/bid/1328
• URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2000-0499
• URL: http://xforce.iss.net/static/4694.php