Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Subject: BEA's WebLogic *.jsp/*.jhtml remote command execution
Date: Mon Jul 31 2000 - 11:53:02 CDT
- Next message: Mike Eldridge: "Re: cvs security problem"
- Previous message: Wietse Venema: "Dan & Wietse's Forensics Tools released"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
"Securing the Dot Com World"
BEA's WebLogic *.jsp/*.jhtml remote command execution
FS Advisory ID: FS-073100-10-BEA
Release Date: July 31, 2000
Vendor: BEA Systems (http://www.beasys.com)
Vendor Advisory: http://developer.bea.com/alerts/index.html
Type: Possible remote command execution.
Severity: High (depending on your configuration)
Author: Shreeraj Shah (shreeraj.shahfoundstone.com)
Saumil Shah (saumil.shahfoundstone.com)
Stuart McClure (stuart.mcclurefoundstone.com)
Operating Systems: All operating systems supported by WebLogic
Vulnerable versions: WebLogic, all versions
Foundstone Advisory: http://www.foundstone.com/advisories.htm
It is possible to compile and execute any arbitrary file
within the web document root directory of the WebLogic server
as if it were a JSP/JHTML file, even if the file type is not
.jsp or .jhtml.
If applications residing on the WebLogic server write to files
within the web document root directory, it is possible to
insert executable code in the form of JSP or JHTML tags and
have the code compiled and executed using WebLogic's handlers.
This can potentially cause an attacker to gain administrative
control of the underlying operating systems.
The theory behind such vulnerabilities is described in CERT
Advisory CA-2000-02 which can be found at:
This vulnerability is similar to the remote execution
vulnerability for Sun's Java Web Server reported previously by
Looking into the weblogic.properties files, the following
lines indicate how WebLogic associates handlers for compiling
and executing JHTML and JSP files.
JHTML pages in WebLogic get handled by the
weblogic.servlet.jhtml.PageCompileServlet, which compiles the
JHTML pages (if they are not already compiled) and executes
them within the Java Runtime Enviroment and hand the output
back to the web server. Similarly, weblogic.servlet.JSPServlet
is responsible for compiling and executing JSP pages.
It is possible to invoke these servlets manually using the
/*.jhtml/ or /*.jsp/ prefix in the URL, and point it to any
arbitrary file on the web server to be compiled and executed
as if it were a JHTML or a JSP file. If JHTML or JSP code can
be injected into any file on the web server via an application
(e.g. a guestbook application), it is possible to execute
arbitrary commands on the server.
Proof of concept
Assume that there is an application on the WebLogic server
that writes user entered data to a file called "temp.txt".
Given below is JHTML/JSP code that will print "Hello World":
<java>out.println("Hello World");</java> (JHTML) -or-
<% out.println("Hello World"); %> (JSP)
If this code is somehow inserted in the file "temp.txt" via
an application, then the following can be used to invoke
forced compilation and execution of "temp.txt":
Please refer to BEA's advisory BEA00-04.00 which can be found
We would also like to thank BEA Systems for their prompt
reaction to this problem and their co-operation in heightening
security awareness in the security community.
THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT
(C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS
GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.
NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY
WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR
DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED
ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE
REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.