Weblogic FileServlet Show Code Vulnerability

Certain versions of BEA Systems Weblogic server ship with a vulnerability which allows malicious users to view the source documents which reside in the web document root directory.

This is possible due to a mistake in the provided weblogic.properties configuration which manifests itself if a user sends a request prefixed with /ConsoleHelp/ . This will result in the Fileservlet being forced to display documents in the unparsed (raw precompiled) formats.


 

Privacy Statement
Copyright 2010, SecurityFocus