There are two security problems in the BEA WebLogic line of web servers.
The first vulnerability could allow a remote attacker to view the source code of any file within the web document tree. Depending upon the configuration, it is possible to exploit this vulnerability using the File Servlet or the Server Side Include Servlet. If the example weblogic.properties file is used, these servlets can be accessed through the ConsoleHelp alias and the virtual name *.shtml, respectively. Source code from some scripts could include sensitive information such as passwords or directory paths which could be used in a subsequent attack against the server.
BEA WebLogic Enterprise 5.1.x and BEA WebLogic Server and Express 4.5.x and 5.1.x are vulnerable in certain configurations, including the configuration resulting from the example weblogic.properties file.
The second vulnerability could allow a misconfigured or malicious application to write files to the web document root. Executable code could be inserted into JSP or jHTML pages and would be executed the next time the page was retrieved by a client. BEA WebLogic Enterprise 5.1.x, and all versions of WebLogic Server and Express are vulnerable.
Alternatively, apply the Show Code patch. Contact support@bea.com to obtain the patch. After the patch has been applied, make sure the following changes have taken place in weblogic.properties:
weblogic.httpd.register.file=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.file=defaultFilename=index.html
weblogic.httpd.defaultServlet=file
should be changed to:
weblogic.httpd.register.*.html=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.*.html=defaultFilename=index.html
weblogic.httpd.defaultServlet=*.html
The resolution for the second vulnerability is to use proper access controls on the web document root, and to remove any unnecessary applications. See BEA Security Advisory 00-04.00 for specific fix information.
For more information on the second vulnerability, see BEA Security Advisory 00-04.00.