header-logo
Suggest Exploit
vendor:
WebLogic Server and WebLogic Express
by:
SecurityFocus
8.3
CVSS
HIGH
Default Servlet Source Code Disclosure
200
CWE
Product Name: WebLogic Server and WebLogic Express
Affected Version From: WebLogic Server and WebLogic Express
Affected Version To: WebLogic Server and WebLogic Express
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2001

Default Servlet Source Code Disclosure

WebLogic Server and WebLogic Express contain four main Java servlets registered to serve different types of files. If an HTTP request is made that includes "/file/", the server calls upon the default servlet which will cause the page to display the source code in the web browser.

Mitigation:

WebLogic Server and WebLogic Express should be configured to not allow access to the "/file/" directory.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1378/info

Within WebLogic Server and WebLogic Express there are four main java servlets registered to serve different kind of files. A default servlet exists if a requested file does not have an assigned servlet.

If an http request is made that includes "/file/", the server calls upon the default servlet which will cause the page to display the source code in the web browser. 

http://target/file/filename

Navigation

Suggest Exploit

Services By CQR