SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Oracle WebLogic Vendors:   BEA Systems
BEA WebLogic URL Parsing Bug May Let Remote Users Gain Unauthorized Access to Web Applications and Content
SecurityTracker Alert ID:  1005419
SecurityTracker URL:  http://securitytracker.com/id/1005419
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 16 2002
Impact:   Disclosure of user information, Host/resource access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): WebLogic Integration 7.0 and 7.0 Service Pack 1; WebLogic Server and Express 6.0, 6.1, 7.0 and 7.0.0.1
Description:   A vulnerability was reported in BEA Systems WebLogic Platform, WebLogic Integration, and WebLogic Server and Express products. Some web applications to run without security policies being enforced, allowing remote users to gain unauthorized access.

In certain versions there is an undocumented extension to the Servlet mappings in the Servlet 2.3 specification (see section "SRV.11.2 Specification of Mappings") that cause URL patterns that do not begin with either with a "*." or a "/" string to be treated as if they were prefixed with a "/".

Apparently, many applications used this undocumented extension. Then, in WebLogic Server 7.0 Service Pack 1, this extension stopped working. As a result, web applications using the (old) extended syntax will not have their role mappings and polices enforced in WebLogic Server 7.0 Service Pack 1.

According to the report, users of WebLogic Integration 7.0 or 7.0 Service Pack 1, or users migrating web applications to WebLogic Server 7.0 Service Pack 1, may be vulnerable.

Impact:   A remote user may be able to gain unauthorized access to web applications and content in certain situations.
Solution:   BEA has provided the following solution options:

"For WebLogic Integration 7.0 or 7.0 Service Pack 1:

* Upgrade to WebLogic Platform 7.0 Service Pack 1 and apply the patch

ftp://ftpna.beasys.com/pub/releases/security/CR087623_70SP1.zip

When WebLogic Platform 7.0 Service Pack 2 is available, you can use that version instead of 7.0 Service Pack 1 and this patch.

For WebLogic Server 7.0 Service Pack 1

1. Apply the following Work around:

* This problem can be fixed by changing your web.xml files to include the leading slash (i.e: replace patterns that are on the left half of the above table with those that are on the right half of the above table).

Or 2. apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR086158_70sp1.jar

When Service Pack 2 becomes available, you can use that .jar instead of this patch."

Vendor URL:  dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesno (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Red Hat Linux), Linux (SuSE), OpenVMS, UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  BEA WebLogic access control policy bypass


http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2FADVISORY_BEA02-22.htm

BEA Systems issued a security advisory (BEA02-22.00) warning of flaws in the BEA WebLogic
Platform, WebLogic Integration, and WebLogic Server and Express products.

It is reported that a flaw may allow web applications to run without security policies
being enforced.

According to the report, users of WebLogic Integration 7.0 or 7.0 Service Pack 1, or users
migrating web applications to WebLogic Server 7.0 Service Pack 1, may be vulnerable.

The following versions are affected:

BEA WebLogic Integration 7.0 and 7.0 Service Pack 1.
BEA WebLogic Server and Express 6.0, 6.1, 7.0 and 7.0.0.1.

In certain versions there is an undocumented extension to the Servlet mappings in the
Servlet 2.3 specification (see section "SRV.11.2 Specification of Mappings") that cause
URL patterns that do not begin with either with a "*." or a "/" string to be treated as if
they were prefixed with a "/".

Apparently, many applications used this undocumented extension.  Then, in WebLogic Server
7.0 Service Pack 1, this extension stopped working.  As a result, web applications using
the (old) extended syntax will not have their role mappings and polices enforced in
WebLogic Server 7.0 Service Pack 1.

BEA has provided the following solution options:

"For WebLogic Integration 7.0 or 7.0 Service Pack 1:

* Upgrade to WebLogic Platform 7.0 Service Pack 1 and apply the patch  

ftp://ftpna.beasys.com/pub/releases/security/CR087623_70SP1.zip

When WebLogic Platform 7.0 Service Pack 2 is available, you can use that version instead
of 7.0 Service Pack 1 and this patch.

For WebLogic Server 7.0 Service Pack 1

1. Apply the following Work around:

* This problem can be fixed by changing your web.xml files to include the leading slash
(i.e: replace patterns that are on the left half of the above table with those that are on
the right half of the above table).

Or  2. apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR086158_70sp1.jar

When Service Pack 2 becomes available, you can use that .jar instead of this patch."



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC