SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  WebLogic Vendors:  BEA Systems
BEA WebLogic May Stop Protecting URLs When Configured With Certain Illegal Protection Patterns
SecurityTracker Alert ID:  1009896
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 21 2004
Impact:  Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 7.0 SP4 and prior versions, 8.1 SP1 and prior versions
Description:  A vulnerability was reported in BEA WebLogic Server and Express in the protection of URLs using an outdated URL pattern syntax. Some URL security features may not be properly applied.

If an administrator specifies an illegal URL pattern that ends with "*" but not "/*", the patterns will be incorrectly processed as wildcard patterns. As a result, protections previously provided (in earlier versions) to an illegal URL pattern may no longer be enforced.

According to the report, only sites with web applications that use an illegal URL pattern syntax are affected.

The vendor has assessed that there is a "Low" threat level but "High" severity.

The original advisory is available at:

http://dev2dev.bea.com/resourcelibrary/advisories notifications/BEA04_56.00.jsp
Impact:  A remote user may be able to access an ostensibly protected URL.
Solution:  For WebLogic Server and WebLogic Express version 8.1, upgrade to version 8.1 SP2.

For WebLogic Server and WebLogic Express version 7.0, upgrade to 7.0 SP5.

The vendor also recommends that you convert the illegal URL patterns to legal syntax in all deployed applications.
Vendor URL:  dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_56.00.jsp (Links to External Site)
Cause:  State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents

 

[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC