| VID |
22517 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The version of Oracle WebLogic Server running on the remote host has a session fixation vulnerability.
A remote attacker could exploit this by tricking a user into making a specially crafted POST request. This would allow the attacker to hijack the user's session.
* Note: This check solely relied on the version number of the remote WebLogic server to assess this vulnerability, so this might be a false positive.
* References:
http://malerisch.net/docs/advisories/Oracle_WebLogic_Session_Fixation_Via_HTTP_POST_Request.html
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
* Platforms Affected:
Oracle Weblogic Server 10.3.3
Oracle Weblogic Server 10.3.2
Oracle Weblogic Server 10.3.1
Oracle Weblogic Server 9.2.4
Oracle Weblogic Server 9.2 MP3
Oracle Weblogic Server 9.2 MP2
Oracle Weblogic Server 9.2 MP1
Oracle Weblogic Server 9.2
Oracle Weblogic Server 9.1 GA
Oracle Weblogic Server 9.1
Oracle Weblogic Server 9.0 GA
Oracle Weblogic Server 10.3
Oracle Weblogic Server 10.1
Oracle Weblogic Server 10.0 MP2
Oracle Weblogic Server 10.0 MP1
Oracle Weblogic Server 10
Any operating system Any version |
| Recommendation |
Oracle has released a Critical Patch Update to address these issues. Information regarding obtaining and applying an appropriate patch can be found in the Oracle Critical Patch Update Advisory dated January 2011 at http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html |
| Related URL |
CVE-2010-4437 (CVE) |
| Related URL |
45852 (SecurityFocus) |
| Related URL |
(ISS) |
|
