[19934] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: def-2001-14: Bea Weblogic Unicode Directory Browsing

daemon@ATHENA.MIT.EDU (Przemyslaw Maciuszko)
Fri Mar 30 02:56:53 2001

MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.LNX.4.33.0103291254310.29771-100000@virgin.gazeta.pl>
Date:         Thu, 29 Mar 2001 13:00:19 +0200
Reply-To: Przemyslaw Maciuszko <sal@GAZETA.PL>
From: Przemyslaw Maciuszko <sal@GAZETA.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <Pine.LNX.4.33.0103281035100.7424-100000@virgin.gazeta.pl>

On Wed, 28 Mar 2001, Przemyslaw Maciuszko wrote:

> We were able to reproduce it on Solaris with Weblogic 5.1 SP8 in a clustered
> Weblogic enviroment.
> So this version IS vulnerable on Solaris.
Replying to myself.
As someone mentioned the combination of Weblogic + iPlanet.
We've tested it on two configurations.

1. Weblogic + iPlanet is vulnerable (iPlanet is parsing the string to
Weblogic and showing the source of .jsp)
2. Weblogic + Apache is NOT vulnerable (Apache show's the compiled jsp not
the source jsp)

So the temporary workaround can be changing from iPlanet to Apache.

--
Przemyslaw Maciuszko
Agora S.A.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[19934] in bugtraq

Re: def-2001-14: Bea Weblogic Unicode Directory Browsing

daemon@ATHENA.MIT.EDU (Przemyslaw Maciuszko)Fri Mar 30 02:56:53 2001

daemon@ATHENA.MIT.EDU (Przemyslaw Maciuszko)
Fri Mar 30 02:56:53 2001