BEA Systems WebLogic Encryption Information Disclosure Weakness

info
discussion
exploit
solution
references

BEA Systems WebLogic Encryption Information Disclosure Weakness

Default implementations of WebLogic Server and WebLogic Express make details about the encryption of passwords available to unprivileged users. A user with access to the encrypted passwords, with knowledge of the encryption algorithms used, and access to the 'config.xml', 'filerealm.properties', and 'weblogic-rar.xml' files could gain access to the plain-text passwords.