BEA WebLogic May Stop Protecting URLs When Configured With Certain Illegal Protection Patterns
|
|
SecurityTracker Alert ID: 1009896 |
|
SecurityTracker URL: http://securitytracker.com/id/1009896
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 21 2004
|
Impact:
Disclosure of system information, Disclosure of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 7.0 SP4 and prior versions, 8.1 SP1 and prior versions
|
Description:
A vulnerability was reported in BEA WebLogic Server and Express in the protection of URLs using an outdated URL pattern syntax. Some URL security features may not be properly applied.
If an administrator specifies an illegal URL pattern that ends with "*" but not "/*", the patterns will be incorrectly processed as wildcard patterns. As a result, protections previously provided (in earlier versions) to an illegal URL pattern may no longer be enforced.
According to the report, only sites with web applications that use an illegal URL pattern syntax are affected.
The vendor has assessed that there is a "Low" threat level but "High" severity.
The original advisory is available at:
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_56.00.jsp
|
Impact:
A remote user may be able to access an ostensibly protected URL.
|
Solution:
For WebLogic Server and WebLogic Express version 8.1, upgrade to version 8.1 SP2.
For WebLogic Server and WebLogic Express version 7.0, upgrade to 7.0 SP5.
The vendor also recommends that you convert the illegal URL patterns to legal syntax in all deployed applications.
|
Vendor URL: dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_56.00.jsp (Links to External Site)
|
Cause:
State error
|
Underlying OS:
Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
