• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Focus On: Vista
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns

• info
• discussion
• exploit
• solution
• references

WebLogic Server and Express HTTP TRACE Credential Theft Vulnerability

It has been reported that WebLogic Server and Express may prone to a user credential theft vulnerability that that may allow a remote attacker to steal sensitive information such as cookie-based authentication credentials. The problem exists because WebLogic Server responds to the HTTP TRACE request by default. Successful exploitation of this issue may allow an attacker to compromise user accounts by gaining access to sensitive header information. This issue may be combined with other attacks such as cross-site scripting, to steal cookie-based authentication credentials.