BEA WebLogic Scripts Server Scripts Source Disclosure Network Vulnerability

Summary

BEA WebLogic may be tricked into revealing the source code of JSP scripts by using simple URL encoding of characters in the filename extension. e.g.: default.js%70 (=default.jsp) won't be considered as a script but rather as a simple document. Vulnerable systems: WebLogic version 5.1.0 SP 6 Immune systems: WebLogic version 5.1.0 SP 8

Solution

Use the official patch available at http://www.bea.com

Severity

Classification

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Apache Tomcat 'sendfile' Request Attributes Information Disclosure Vulnerability
Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities
Apache Struts Directory Traversal Vulnerability
Apache Commons Daemon 'jsvc' Information Disclosure Vulnerability
Apache Tomcat SecurityConstraints Security Bypass Vulnerability

BEA WebLogic Scripts Server scripts Source Disclosure

Take action and discover your vulnerabilities