|Category:||Web application abuses|
|Title:||WebLogic management servlet|
|Summary:||Checks the version of WebLogic|
The remote web server is WebLogic
An internal management servlet which does not properly
check user credential can be accessed from outside, allowing
a cracker to change user passwords, and even upload or download
any file on the remote server.
In addition to this, there is a flaw in WebLogic 7.0 which may
allow users to delete empty subcontexts.
*** Note that OpenVAS only checked the version in the server banner
*** So this might be a false positive.
See also : http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.jsp
- apply Service Pack 2 Rolling Patch 3 on WebLogic 6.0
- apply Service Pack 4 on WebLogic 6.1
- apply Service Pack 2 on WebLogic 7.0 or 188.8.131.52
BugTraq ID: 7122|
BugTraq ID: 7124
BugTraq ID: 7130
BugTraq ID: 7131
Common Vulnerability Exposure (CVE) ID: CVE-2003-1095
CERT/CC vulnerability note: VU#691153
XForce ISS Database: weblogic-app-reauthentication-bypass(11555)
|Copyright||This script is Copyright (C) 2003 Michel Arboi|
|This is only one of 40246 vulnerability tests in our test suite. Find out more about running a complete security audit.|
To run a free test of this vulnerability against your system, register below.