WebLogic Management Servlet Network Vulnerability

Summary

The remote web server is WebLogic An internal management servlet which does not properly check user credential can be accessed from outside, allowing a cracker to change user passwords, and even upload or download any file on the remote server. In addition to this, there is a flaw in WebLogic 7.0 which may allow users to delete empty subcontexts. *** Note that OVS only checked the version in the server banner *** So this might be a false positive. Solutions : - apply Service Pack 2 Rolling Patch 3 on WebLogic 6.0 - apply Service Pack 4 on WebLogic 6.1 - apply Service Pack 2 on WebLogic 7.0 or 7.0.0.1

References

http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.jsp

Updated on 2015-03-25

Severity

Classification

CVE CVE-2003-1095
CVSS Base Score: 4.6
AV:L/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Apache Tiles Multiple XSS Vulnerability
Apache Commons Daemon 'jsvc' Information Disclosure Vulnerability
Aardvark Topsites <= 4.2.2 Remote File Inclusion Vulnerability
AfterLogic WebMail Pro Multiple Cross Site Scripting Vulnerabilities
Apache Tomcat SecurityConstraints Security Bypass Vulnerability

WebLogic management servlet

Take action and discover your vulnerabilities