BEA WebLogic < 5.1 SP 11 JSP Source Disclosure

Medium Nessus Network Monitor Plugin ID 1538

Synopsis

The remote WebLogic server may be tricked into revealing the source code of JSP scripts by prefixing their path by '/*.shtml/'.

Description

The remote WebLogic server may be tricked into revealing the source code of JSP scripts by prefixing their path by '/*.shtml/'.

Solution

Upgrade to version 5.1 SP 11 or higher.

See Also

http://archives.neohapsis.com/archives/bugtraq/2000-07/0410.html

http://www.oracle.com/technology/deploy/security/wls-security/12.html

Plugin Details

Severity: Medium

ID: 1538

Family: Web Servers

Published: 2004/08/18

Modified: 2016/11/23

Dependencies: 1442

Nessus ID: 11604

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 5

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:H/RL:U/RC:ND

CVSSv3

Base Score: 5.3

Temporal Score: 5.3

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS3#E:H/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:bea:weblogic_server

Reference Information

CVE: CVE-2000-0683

BID: 1517