BEA WebLogic Scripts Server Scripts Source Disclosure Network Vulnerability

Summary

BEA WebLogic may be tricked into revealing the source code of JSP scripts by using simple URL encoding of characters in the filename extension. e.g.: default.js%70 (=default.jsp) won't be considered as a script but rather as a simple document. Vulnerable systems: WebLogic version 5.1.0 SP 6 Immune systems: WebLogic version 5.1.0 SP 8

Solution

Use the official patch available at http://www.bea.com

Severity

Classification

CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

2532|Gigs Directory Traversal And SQL Injection Multiple Vulnerabilities
AlienForm CGI script
1024 CMS 1.1.0 Beta 'force_download.php' Local File Include Vulnerability
Apache Tomcat Login Constraints Security Bypass Vulnerability
Apache Tomcat 'sendfile' Request Attributes Information Disclosure Vulnerability

BEA WebLogic Scripts Server scripts Source Disclosure

Take action and discover your vulnerabilities