NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Secunia Advisories> 2003-q4

[sec-adv] BEA Tuxedo and WebLogic Enterprise Administration Console Vulnerability

From: Secunia Security Advisories (sec-advsecunia.com)
Date: Thu Oct 30 2003 - 07:03:47 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TITLE:
BEA Tuxedo and WebLogic Enterprise Administration Console
Vulnerability

SECUNIA ADVISORY ID:
SA10106

VERIFY ADVISORY:
http://www.secunia.com/advisories/10106/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting, Exposure of system information, DoS

WHERE:
From remote

SOFTWARE:
BEA Tuxedo 6.x
BEA Tuxedo 7.x
BEA Tuxedo 8.x
BEA WebLogic Enterprise 4.x
BEA WebLogic Enterprise 5.x

DESCRIPTION:
A vulnerability has been reported in BEA Tuxedo and WebLogic
Enterprise, which can be exploited by malicious people to conduct
Cross-Site Scripting attacks, cause a DoS (Denial of Service) or
determine the existence of files.

The vulnerability is caused due to the Administration Console CGI
script not validating startup arguments like the path to the
initialisation file.

The following products are affected:
* Tuxedo 8.1
* Tuxedo 8.0
* Tuxedo 7.1
* Tuxedo 6.5
* Tuxedo 6.4
* Tuxedo 6.3
* WebLogic Enterprise 5.1
* WebLogic Enterprise 5.0.1
* WebLogic Enterprise 4.2

SOLUTION:
Restrict access to the Administration Console and apply patch.

Tuxedo 8.1:
Apply Rolling Patch 62 or later from BEA Customer Support.

REPORTED BY / CREDITS:
Corsaire Limited

ORIGINAL ADVISORY:
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/advisory03_38_00.jsp

----------------------------------------------------------------------

Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +45 7020 5144
Fax : +45 7020 5145

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]