SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Oracle WebLogic Vendors:   BEA Systems
WebLogic Server Default Internal Servlet May Let Remote Users Access the Local File System
SecurityTracker Alert ID:  1015792
SecurityTracker URL:  http://securitytracker.com/id/1015792
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  May 15 2006
Original Entry Date:  Mar 20 2006
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.1 SP7 and prior service packs
Description:   A vulnerability was reported in WebLogic Server. A remote user can access files on the target system.

A remote user can load a default internal servlet to gain access to the local Windows filesystem.

The vendor credits S21sec with reporting this vulnerability.

[Editor's note: The vendor's advisory contains potentially conflicting information about which systems are affected. The advisory states that "all sites ... installed on Windows are vulnerable" but also indicates that "all platforms" are affected.]

Impact:   A remote user can access the local filesystem.
Solution:   The vendor has issued the following fix for WebLogic Server version 6.1 [quoted]:

1. Upgrade to WebLogic Server 6.1 Service Pack 7.
2. Install the patch from:
ftp://ftpna.beasys.com/pub/releases/security/CR198547_61sp7.jar
3. Place the jar for the patch in the CLASSPATH before the weblogic.jar file.

The vendor's advisory is available at:

http://dev2dev.bea.com/pub/advisory/185

Vendor URL:  dev2dev.bea.com/pub/advisory/185 (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC