[LWN Logo]
[Timeline]
Date:         Mon, 31 Jul 2000 09:53:02 -0700
From: labs@FOUNDSTONE.COM
Subject:      BEA's WebLogic *.jsp/*.jhtml remote command execution
To: BUGTRAQ@SECURITYFOCUS.COM

                            Foundstone, Inc.
                        http://www.foundstone.com
                      "Securing the Dot Com World"

                           Security Advisory

         BEA's WebLogic *.jsp/*.jhtml remote command execution

----------------------------------------------------------------------
FS Advisory ID:         FS-073100-10-BEA

Release Date:           July 31, 2000

Product:                WebLogic

Vendor:                 BEA Systems (http://www.beasys.com)

Vendor Advisory:        http://developer.bea.com/alerts/index.html

Type:                   Possible remote command execution.

Severity:               High (depending on your configuration)

Author:                 Shreeraj Shah (shreeraj.shah@foundstone.com)
                        Saumil Shah (saumil.shah@foundstone.com)
                        Stuart McClure (stuart.mcclure@foundstone.com)

Operating Systems:      All operating systems supported by WebLogic

Vulnerable versions:    WebLogic, all versions

Foundstone Advisory:    http://www.foundstone.com/advisories.htm
----------------------------------------------------------------------

Description

        It is possible to compile and execute any arbitrary file
        within the web document root directory of the WebLogic server
        as if it were a JSP/JHTML file, even if the file type is not
        .jsp or .jhtml.

        If applications residing on the WebLogic server write to files
        within the web document root directory, it is possible to
        insert executable code in the form of JSP or JHTML tags and
        have the code compiled and executed using WebLogic's handlers.
        This can potentially cause an attacker to gain administrative
        control of the underlying operating systems.

        The theory behind such vulnerabilities is described in CERT
        Advisory CA-2000-02 which can be found at:
        http://www.cert.org/advisories/CA-2000-02.html

        This vulnerability is similar to the remote execution
        vulnerability for Sun's Java Web Server reported previously by
        Foundstone. (FS-071000-5-JWS)

Details

        Looking into the weblogic.properties files, the following
        lines indicate how WebLogic associates handlers for compiling
        and executing JHTML and JSP files.

        weblogic.httpd.register.*.jhtml=\
               weblogic.servlet.jhtmlc.PageCompileServlet

        weblogic.httpd.register.*.jsp=\
               weblogic.servlet.JSPServlet

        JHTML pages in WebLogic get handled by the
        weblogic.servlet.jhtml.PageCompileServlet, which compiles the
        JHTML pages (if they are not already compiled) and executes
        them within the Java Runtime Enviroment and hand the output
        back to the web server. Similarly, weblogic.servlet.JSPServlet
        is responsible for compiling and executing JSP pages.

        It is possible to invoke these servlets manually using the
        /*.jhtml/ or /*.jsp/ prefix in the URL, and point it to any
        arbitrary file on the web server to be compiled and executed
        as if it were a JHTML or a JSP file. If JHTML or JSP code can
        be injected into any file on the web server via an application
        (e.g. a guestbook application), it is possible to execute
        arbitrary commands on the server.

Proof of concept

        Assume that there is an application on the WebLogic server
        that writes user entered data to a file called "temp.txt".

        Given below is JHTML/JSP code that will print "Hello World":

        <java>out.println("Hello World");</java>        (JHTML) -or-
        <% out.println("Hello World"); %>               (JSP)

        If this code is somehow inserted in the file "temp.txt" via
        an application, then the following can be used to invoke
        forced compilation and execution of "temp.txt":

        http://weblogic.site/*.jhtml/path/to/temp.txt   (JHTML) -or-
        http://weblogic.site/*.jsp/path/to/temp.txt

Solution

        Please refer to BEA's advisory BEA00-04.00 which can be found
        at http://developer.bea.com/alerts/index.html

Credits

        We would also like to thank BEA Systems for their prompt
        reaction to this problem and their co-operation in heightening
        security awareness in the security community.

Disclaimer

        THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT
        (C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT
        THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS
        GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.
        NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY
        WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR
        DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED
        ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE
        REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE
        ADVISORY IS NOT MODIFIED IN ANY WAY.