SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Oracle WebLogic Vendors:   BEA Systems
WebLogic Portal May Disclose a User's JSR-168 Portlet Contents
SecurityTracker Alert ID:  1015791
SecurityTracker URL:  http://securitytracker.com/id/1015791
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 20 2006
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): WebLogic Portal 8.1 SP5 and prior service packs
Description:   A vulnerability was reported in WebLogic Portal. A remote user may be able to view another user's JSR-168 Portlet contents.

The system may render JSR-168 Portlet contents from the cache, where the contents belong to another user.

WebLogic Portal sites using JSR-168 Portlets are affected. Other Portlet types are not affected.

Impact:   A remote user can view the contents of another user's JSR-168 Portlet.
Solution:   The vendor has issued the following fix [quoted]:

1. Upgrade to WebLogic Portal 8.1 Service Pack 5.
2. Install the patch from:
ftp://ftpna.beasys.com/pub/releases/security/patch_CR259534_81SP5.zip
3. Follow the instructions in the README file contained in the ZIP archive.

This fix will be included in WebLogic Portal 8.1 Service Pack 6.

The vendor's advisory is available at:

http://dev2dev.bea.com/pub/advisory/182

Vendor URL:  dev2dev.bea.com/pub/advisory/182 (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (2003)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC