| VID |
22207 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The WebLogic Server has a source code disclosure vulnerability (4).
Certain versions of BEA Systems Weblogic server ship with a vulnerability which allows malicious users to view the source of .jsp and .jhtml pages which reside under the web document root directory, caused by a vulnerability in the FileServlet. A remote attacker could send a request for a known file prefixed with "/ConsoleHelp/", which invokes the FileServlet and causes the requested file's source code to be displayed.
* Refereces:
http://developer.bea.com/alerts/security_000731.html
http://www.foundstone.com/knowledge/randd-advisories-display.html?id=29
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA02-03.jsp
* Platforms Affected:
BEA WebLogic Enterprise 5.1.x
BEA WebLogic Server and Express 4.5x, 5.1.x, and 6.x
Windows Any version
Linux Any version
Unix Any version |
| Recommendation |
Apply the Service Pack for the "Show Code" vulnerability, as listed in BEA Systems, Inc. Security Advisory (BEA02-03.03), http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA02-03.jsp |
| Related URL |
CVE-2000-0682 (CVE) |
| Related URL |
1518 (SecurityFocus) |
| Related URL |
5024 (ISS) |
|
