BEA WebLogic Hex Encoded Request JSP Source Disclosure

medium Nessus Plugin ID 10715

Synopsis

The remote web server is affected by an information disclosure vulnerability.

Description

The version of BEA WebLogic installed on the remote host may be tricked into revealing the source code of JSP scripts by using simple URL encoding of characters in the filename extension.

Solution

Use the official patch available at http://www.bea.com/ to upgrade to WebLogic version 5.1.0 SP 8 or later.

See Also

http://www.nessus.org/u?2cd7750b

Plugin Details

Severity: Medium

ID: 10715

File Name: BEA_weblogic_Reveal_Script_Code.nasl

Version: 1.45

Type: remote

Family: CGI abuses

Published: 8/13/2001

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: No exploit is required

Exploited by Nessus: true

Vulnerability Publication Date: 3/28/2001

Reference Information

BID: 2527