WebLogic Portal Access Control Flaw May Grant Remote Users Access to Entitled Pages
|
|
SecurityTracker Alert ID: 1014759 |
|
SecurityTracker URL: http://securitytracker.com/id/1014759
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 22 2005
|
Impact:
Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): WebLogic Portal 8.1 through SP4
|
Description:
A vulnerability was reported in WebLogic Portal. A remote user may be able to access restricted pages.
A remote user can supply a specially crafted URL to gain access to all pages of a target Book even if the user is not entitled to access the pages.
Systems that use entitlements placed directly on desktop books, pages, or portlets are affected. Systems that use entitlements placed on Portals built from library books, pages, and portlets are not affected.
|
Impact:
A remote user may be able to access entitled pages that the user is not entitled to access.
|
Solution:
The vendor has issued a patch for WebLogic Portal 8.1 SP4, available at:
ftp://ftpna.beasys.com/pub/releases/security/patch_CR238578_81SP4.zip
|
Vendor URL: dev2dev.bea.com/pub/advisory/137 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (2003)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 22 Aug 2005 15:32:56 -0400
Subject: http://dev2dev.bea.com/pub/advisory/137
|
> Security Advisory: (BEA05-84.00)
> Minor Subject: A patch is available to enforce correct access restrictions.
> Product(s) Affected: WebLogic Portal
> Threat level: High
> Severity: High
|
|
