| VID |
22436 |
| Severity |
30 |
| Port |
8080, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The WebLogic Server is vulnerable to a source code disclosure vulnerability via the '/file/' prefix. Certain versions of BEA Systems Weblogic server ship with a vulnerability which allows malicious users to view the source of .jsp and .jhtml pages which reside under the web document root directory, caused by a vulnerability in the FileServlet. A remote attacker could send a request for a known file prefixed with "/file/", which invokes the FileServlet and causes the requested file's source code to be displayed.
* Refereces:
http://dev2dev.bea.com/pub/advisory/12
http://archives.neohapsis.com/archives/bugtraq/2000-06/0196.html
http://www.securiteam.com/windowsntfocus/5SQ050A1YC.html
* Platforms Affected:
BEA WebLogic Enterprise 5.1.x
BEA WebLogic Server and Express 4.5x, 5.1.x, and 6.x
Windows Any version
Linux Any version
Unix Any version |
| Recommendation |
Apply the Service Pack for the "Show Code" vulnerability, as listed in BEA Systems, Inc. Security Advisory (BEA02-03.03) at http://dev2dev.bea.com/pub/advisory/12 |
| Related URL |
CVE-2000-0500 (CVE) |
| Related URL |
1378 (SecurityFocus) |
| Related URL |
4775 (ISS) |
|
