PDA

Bekijk Volledige Versie : BEA WebLogic internal hostname disclosure



Michael Hendrickx
03/04/03, 01:20
Hi,

During a penentration test, I discovered that the BEA Weblogic Server
reveals it hostname (on windows machines NetBIOS name) while sending the
following request:

GET . HTTP/1.0\r\n\r\n

On older systems (Weblogic 7.0), a simple "BLAH . BLAH\r\n\r\n" will do
the same trick. BEA was contacted about two weeks ago, but I haven't
heard from them (yet).

Regards,
Michael

--
Michael Hendrickx
Security Engineer
Scanit NV/SA
http://www.scanit.be

Kurt Seifried
04/04/03, 02:20
> Hi,
>
> During a penentration test, I discovered that the BEA Weblogic Server
> reveals it hostname (on windows machines NetBIOS name) while sending the
> following request:
>
> GET . HTTP/1.0\r\n\r\n
>
> On older systems (Weblogic 7.0), a simple "BLAH . BLAH\r\n\r\n" will do
> the same trick. BEA was contacted about two weeks ago, but I haven't
> heard from them (yet).
>
> Regards,
> Michael

Reveals hostname:
../
..//
..//////////////
..%20
..%20%20
...

Does not reveal hostname:
....
..a
..1
..\
..%21

Seems that a single "." or a "." followed by a "special" character such as
"/" or %20 (space) works. Don't know what other "special" characters work.


Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/