| VID |
22108 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The WebLogic Server has a source code disclosure vulnerability (2).
BEA Systems WebLogic Server is an enterprise level web and wireless application server for Microsoft Windows and most Unix and Linux distributions. BEA WebLogic Server version 6.1 SP2 and possibly earlier versions could allow a remote attacker to view the source code of JavaServer Pages (JSP). A remote attacker could send a specially-crafted URL request for a JSP file appended with "%00x" or "+." to cause the Web server to reveal the source code of the requested file.
Disclosure of script source code may aid allow the attacker to probe for other vulnerabilities or may disclose sensitive information such as database credentials.
* References:
http://www.iss.net/security_center/static/8967.php
http://online.securityfocus.com/bid/4645 |
| Recommendation |
Apply the appropriate patch for your system, as listed in BEA Systems Inc. SECURITY ADVISORY (BEA02-03.03):
http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components/dev2dev/resourcelibrary/advisoriesnotifications/securityadvisoriesbea020303.htm
-- OR --
Upgrade to the latest version of WebLogic (6.1 SP3 or later), available from the BEA WebLogic Download Page at http://commerce.bea.com/downloads/weblogic_server.jsp |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
