Weblogic SSIServlet Show Code Vulnerability

Certain versions of BEA Systems Weblogic server ship with a vulnerability which allows malicious users to view the source of .jsp and .jhtml pages which reside in the web document root directory.

This is possible due to a mistake in the provided weblogic.properties configuration which manifests itself if a user sends a request prefixed with /*.shtml/ . This will result in the SSIServlet (Server Side Include Servlet) being forced to display documents in the unparsed (raw precompiled) formats.


 

Privacy Statement
Copyright 2010, SecurityFocus