The URL pattern matching feature in BEA WebLogic Server 6.x matches illegal patterns ending in “" as wildcards as if they were the legal "/” pattern, which could cause WebLogic 7.x to allow remote attackers to bypass intended access restrictions because the illegal patterns are properly rejected.