BEA WebLogic SSL Handling Denial of Service weblogic attack - Ver2 (CVE-2004-2424)

A denial-of-service vulnerability has been reported in BEA Systems WebLogic Server. Successful exploitation of this vulnerability would allow a remote attacker to create a denial of service condition on the affected system...

BEA Systems WebLogic Server and Express 7.0 Null Character DoS

No description provided by source. source: http://www.securityfocus.com/bid/4646/info BEA Systems WebLogic Server is an enterprise level web and wireless application server for Microsoft Windows and most Unix and Linux distributions. BEA WebLogic Express provides a platform for serving dynamic da...

BEA Systems Weblogic Server 4.0 x/4.5 x/5.1 x Double Dot Buffer Overflow

No description provided by source. source: http://www.securityfocus.com/bid/2138/info BEA Systems WebLogic Server is an enterprise level web and wireless application server. Unchecked buffers exist in a particular handler for URL requests that begin with two dots ... Depending on the data entered...

BEA Systems WebLogic Express 3.1.8/4/5 Source Code Disclosure

No description provided by source. source: http://www.securityfocus.com/bid/1378/info Within WebLogic Server and WebLogic Express there are four main java servlets registered to serve different kind of files. A default servlet exists if a requested file does not have an assigned servlet. If an ht...

Oracle BEA WebLogic Portal特权提升漏洞

CNCAN ID：CNCAN-2009041603 Oracle BEA Systems WebLogic包含多种应用系统集成方案，包括Server/Express/Integration等。 BEA Systems WebLogic Portal存在一个未明错误，远程攻击者可以利用漏洞提升特权。 目前没有详细漏洞细节提供。 BEA WebLogic Portal 8.x 可参考供应商提供的安全公告获得补丁信息： http://www.oracle.com/technology/deploy/security/wls-security/1001.html...

ACROS Security: Session Fixation Vulnerability in WebLogic Administration Console (#2008-03-11-2)

=====BEGIN-ACROS-REPORT===== PUBLIC ========================================================================= ACROS Security Problem Report 2008-03-11-2 ------------------------------------------------------------------------- ASPR 2008-03-11-2: Session Fixation Vulnerability in WebLogic...

Sun JavaDoc工具跨站脚本漏洞

BUGTRAQ ID: 24690 CVECAN ID: CVE-2007-3503 Solaris系统的Java运行时环境（JRE）为JAVA应用程序提供可靠的运行环境。 Javadoc工具处理用户请求数据时存在跨站脚本执行漏洞，远程攻击者可能利用此漏洞在用户浏览器中执行恶意代码。 Javadoc工具可以生成包含有跨站脚本（XSS）漏洞的HTML文档页面，远程攻击者可以利用这个漏洞注入任意Web脚本或HTML。如果用户受骗访问了该页面的话，就可能从承载所生成文档的站点访问cookies。 Sun JDK = 5.0 Update 11 Sun JDK 6 BEA Systems...

BEA WebLogic Server空密码组信息泄露漏洞

BUGTRAQ ID: 25472 BEA Systems WebLogic包含多种应用系统集成方案，包括Server/Express/Integration等。 BEA Systems WebLogic在处理SSL连接时存在漏洞，可能导致敏感信息泄露。 在某些情况下，运行在服务器环境以外的SSL客户端可能无法找到创建SSL密码组列表所需的所有密码，这就会导致使用默认的非加密密码；客户端也可能无法支持服务器中任何可用的密码组，这时服务器就会选择使用空密码的密码组，导致SSL通讯没有加密，这样攻击者就可以获取明文传输的信息。 BEA Systems Weblogic Server 9.2...

BEA产品多个远程安全漏洞

BEA Systems WebLogic包含多种应用系统集成方案，包括Server/Express/Integration等。 BEA Weblogic中存在多个安全漏洞，可能允许恶意攻击者获得敏感信息、绕过某些安全限制、导致拒绝服务或完全入侵系统。 这些漏洞包括： 1 SSL库中的漏洞可能允许判断明文块； 2 从缓存重用连接时服务器没有正确地验证客户端证书，导致攻击者可以通过X.509证书访问Web服务器。成功攻击要求应用程序允许通过单个客户端进程访问多个用户； 3 存储在JDBCDataSourceFactory MBean Properties属性中的口令没有加密； 4...

BEA WebLogic Server/WebLogic Express Java RMI不正确会话继承漏洞

BEA Systems WebLogic包含多种应用系统集成方案，包括Server/Express/Integration等。 BEA WebLogic的对Java Remote Method Invocation RMI文档描述存在问题，遵从此文档开发的产品可导致权限提升问题。 问题发生在当客户多次以不同用户登录WebLogic服务器时，文档描述客户的行为是：当RMI请求提交时是没有当前用户关联客户线程的，这对RMI通过T3协议来说是正确的，但针对RMI通过IIOP协议走的情况下是不正确的，任意依赖此文档描述的行为可导致在RMI调用中获得其他用户的验证信息。 BEA Systems...

BEA WebLogic Server和WebLogic Express Application Role未授权访问漏洞

BEA Systems WebLogic包含多种应用系统集成方案，包括Server/Express/Integration等。 WebLogic Server和WebLogic Express应用程序不正确实现Servlet 2.3标准，远程攻击者可以利用这个漏洞未授权访问应用系统资源。 当WEB应用程序指定包含在security-constraint标记的role-name标记中的'role name'为''时，会触发此漏洞。下面是web.xml文件中使用有问题的‘’代码： security-constraint web-resource-collection...

CVE-2000-1238

BEA Systems WebLogic Express and WebLogic Server 5.1 SP1-SP6 allows remote attackers to bypass access controls for restricted JSP or servlet pages via a URL with multiple / forward slash characters before the restricted pages...

CVE-2000-1238

The CVE-2000-1238 entry affects BEA Systems WebLogic Express and WebLogic Server 5.1 SP1–SP6. The issue allows remote attackers to bypass access controls for restricted JSP/servlet pages by using a URL that contains multiple forward slash characters before the restricted pages. Vulnerable compone...

CVE-2005-2092

BEA Systems WebLogic 8.1 SP1 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes WebLogic to incorrectly handle and forwar...

CVE-2005-2092

The CVE-2005-2092 entry describes a vulnerability in BEA Systems WebLogic 8.1 SP1 where a crafted HTTP request with both a Transfer-Encoding: chunked header and a Content-Length header causes WebLogic to mis-handle the request body, leading to HTTP Request Smuggling. This can allow remote attacke...

ACROS Security: HTML Injection in BEA WebLogic Server Console (2)

=====BEGIN-ACROS-REPORT===== PUBLIC ========================================================================= ACROS Security Problem Report 2005-05-24-2 ------------------------------------------------------------------------- ASPR 2005-05-24-2: HTML Injection in BEA WebLogic Server Console 2...

BEA Systems WebLogic Server and Express 7.0 - Null Character Denial of Service

source: https://www.securityfocus.com/bid/4646/info BEA Systems WebLogic Server is an enterprise level web and wireless application server for Microsoft Windows and most Unix and Linux distributions. BEA WebLogic Express provides a platform for serving dynamic data to web and wireless application...

CVE-2002-0106

BEA Systems Weblogic Server 6.1 allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name...

CVE-2002-0106

BEA Systems WebLogic Server 6.1 is affected. The vulnerability allows remote attackers to cause a denial of service by sending a sequence of requests to JSP files that contain an MS-DOS device name. The available documents describe the impact as a DoS but do not provide an exploit vector, affecte...

CVE-2002-0106

BEA Systems Weblogic Server 6.1 allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name...