Weblogic FileServlet Show Code Vulnerability

Please refer to BEA security advisory BEA00-03.00.

From the vendor (as appears in BEA00-03.00):

(1) Apply the "Show Code" vulnerability patch available from BEA Technical Support. This patch is available for:

Version: The J-Engine in BEA WebLogic Enterprise 5.1.x BEA WebLogic Server and Express 5.1.x BEA WebLogic Server and Express 4.5.x

Action: Contact BEA Technical Support at support@bea.com for patch.

(2) Once the patch has been applied, review the weblogic.propertiesfile and ensure that the following changes have been made:

weblogic.httpd.register.file=weblogic.servlet.FileServlet weblogic.httpd.initArgs.file=defaultFilename=index.html weblogic.httpd.defaultServlet=file

should be changed to:

weblogic.httpd.register.*.html=weblogic.servlet.FileServlet weblogic.httpd.initArgs.*.html=defaultFilename=index.html weblogic.httpd.defaultServlet=*.html

Future Service Packs for BEA WebLogic Server and Express will also contain the patch to address this vulnerability.


Privacy Statement
Copyright 2010, SecurityFocus