The WebLogic server uses a different section of code to process requests beginning with ".." than it uses for normal requests. A buffer overflow in this section of the code could be used by a remote attacker to create a race condition which could lead to a server crash or the execution of arbitrary code.
BEA WebLogic Server 5.1.0 prior to Service Pack 7 is affected by this vulnerability.
CVE 2000-0682
CVE 2000-0683
This vulnerability could allow a remote attacker to
view the source code of any file within the web document
tree. Depending upon the configuration, it is possible
to exploit this vulnerability using the File Servlet
or the Server Side Include Servlet. If the example
weblogic.properties file is used, these
servlets can be accessed through the ConsoleHelp alias
and the virtual name *.shtml, respectively. Source code from some scripts could include sensitive
information such as passwords or directory paths which could
be used in a subsequent attack against the server.
BEA WebLogic Enterprise 5.1.x and BEA WebLogic Server and Express 4.5.x and 5.1.x are vulnerable in certain configurations, including the configuration resulting from the example weblogic.properties file.
CVE 2000-0684
CVE 2000-0685
This vulnerability could allow a misconfigured or
malicious application to write files to the web document
root. Executable code could be inserted into JSP or
jHTML pages and would be executed the next time the
page was retrieved by a client. BEA WebLogic Enterprise
5.1.x, and all versions of WebLogic Server and Express
are vulnerable.
For the source code exposure vulnerability, apply Service Pack 5 or higher for WebLogic 5.1.0.
Alternatively, apply the Show Code patch. Contact support@bea.com to obtain the patch. After the patch has been applied, make sure the following changes have taken place in weblogic.properties:
weblogic.httpd.register.file=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.file=defaultFilename=index.html
weblogic.httpd.defaultServlet=file
should be changed to:
weblogic.httpd.register.*.html=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.*.html=defaultFilename=index.html
weblogic.httpd.defaultServlet=*.html
The resolution for the JSP/jHTML file write vulnerability is to use proper access controls on the web document root, and to remove any unnecessary applications. See BEA Security Advisory 00-04.00 for specific fix information.
For more information on the source code exposure vulnerability, see BEA Security Advisory 00-03.00.
For more information on the file write vulnerability, see BEA Security Advisory 00-04.00.