header-logo
Suggest Exploit
vendor:
WebLogic Server and WebLogic Express
by:
SecurityFocus
8,8
CVSS
HIGH
Source Code Disclosure
200
CWE
Product Name: WebLogic Server and WebLogic Express
Affected Version From: WebLogic Server and WebLogic Express
Affected Version To: WebLogic Server and WebLogic Express
Patch Exists: YES
Related CWE: CVE-2001-0206
CPE: o:bea:weblogic_server
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2001

Source Code Disclosure

WebLogic Server and WebLogic Express contain a vulnerability that allows an attacker to view the source code of any file on the server. This is done by sending an HTTP request that includes "/file/" in the URL. The server then calls upon the default servlet, which causes the page to display the source code in the web browser.

Mitigation:

WebLogic Server and WebLogic Express should be configured to deny access to the "/file/" directory.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1378/info

Within WebLogic Server and WebLogic Express there are four main java servlets registered to serve different kind of files. A default servlet exists if a requested file does not have an assigned servlet.

If an http request is made that includes "/file/", the server calls upon the default servlet which will cause the page to display the source code in the web browser. 

http://target/file/filename

Navigation

Suggest Exploit

Services By CQR