|
|
BEA Systems WebLogic访问控制绕过漏洞
发布时间:2002-06-27
更新时间:2002-06-27
严重程度:高
威胁程度:读取受限文件
错误类型:访问验证错误
利用方式:服务器模式
BUGTRAQ ID:5089
受影响系统BEA Systems WebLogic Express 5.1 SP 6
BEA Systems WebLogic Express 5.1 SP 5
BEA Systems WebLogic Express 5.1 SP 4
BEA Systems WebLogic Express 5.1 SP 3
BEA Systems WebLogic Express 5.1 SP 2
BEA Systems WebLogic Express 5.1 SP 1
BEA Systems WebLogic Express 5.1
BEA Systems Weblogic Server 5.1 SP 6
BEA Systems Weblogic Server 5.1 SP 5
BEA Systems Weblogic Server 5.1 SP 4
BEA Systems Weblogic Server 5.1 SP 3
BEA Systems Weblogic Server 5.1 SP 2
BEA Systems Weblogic Server 5.1 SP 1
BEA Systems Weblogic Server 5.1
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9 win32
- Apache Software Foundation Apache 1.3.12
- C2Net StrongHold Web Server 3.0
- HP HP-UX 10.20
- HP HP-UX 11.0
- IBM AIX 4.2
- IBM AIX 4.3
- Microsoft IIS 4.0
- Microsoft IIS 5.0
- Microsoft Windows 2000 Workstation
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
- RedHat Linux 5.1
- Sun Solaris 8.0 详细描述
BEA Systems WebLogic是WEB和无线应用服务程序,使用在多种系统平台下。
其中WebLogic 5.1允许远程用户绕过访问控制保护的JSP和servlet页面,通过提交包含多个‘//’字符的URL请求可以直接访问保护的JSP和servlet。
测试代码
无
解决方案
补丁下载:
BEA Systems Weblogic Server 5.1 SP 6:
BEA Systems Patch SecurityBEA00-0600.zip
ftp://ftpna.bea.com/pub/releases/patches/SecurityBEA00-0600.zip
BEA Systems WebLogic Express 5.1 SP 6:
BEA Systems Patch SecurityBEA00-0600.zip
ftp://ftpna.bea.com/pub/releases/patches/SecurityBEA00-0600.zip
相关信息
参考:http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2Fsecurityadvisorybea000600.htm
|
