• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Weblogic SSIServlet Show Code Vulnerability

Solution:
The following information was made available by BEA Systems:

(1) Apply the "Show Code" vulnerability patch available from BEA Technical Support. This patch is available for:

Version: The J-Engine in BEA WebLogic Enterprise 5.1.x BEA WebLogic Server and Express 5.1.x BEA WebLogic Server and Express 4.5.x

Action: Contact BEA Technical Support at support@bea.com for patch. lete R Reply (2) Once the patch has been applied, review the weblogic.propertiesfile and ensure that the following changes have been made:

weblogic.httpd.register.file=weblogic.servlet.FileServlet weblogic.httpd.initArgs.file=defaultFilename=index.html weblogic.httpd.defaultServlet=file

should be changed to:

weblogic.httpd.register.*.html=weblogic.servlet.FileServlet weblogic.httpd.initArgs.*.html=defaultFilename=index.html weblogic.httpd.defaultServlet=*.html

Future Service Packs for BEA WebLogic Server and Express will also contain the patch to address this vulnerability.