Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » BEA Systems WebLogic Web Application authentication bypass

BEA Systems WebLogic Web Application authentication bypass

by Nikola Strahija on March 25th, 2003 Under certain circumstances, web application component of BEA WebLogic is vulnerable to authentication bypass.


Web application component that implements session persistence is redistributed without a server reboot and an authenticated user session can, in some cases, be reused by any user for a variable period of time without requiring valid credentials.

This vulnerability may be exploited to gain access to the WebLogic server without prior authentication.

Vulnerable:
BEA Systems Weblogic Server 7.0 .0.1 SP 1
BEA Systems Weblogic Server 7.0 .0.1
BEA Systems Weblogic Server 7.0 SP 1
BEA Systems Weblogic Server 7.0
BEA Systems WebLogic Server for Win32 7.0 .0.1 SP 1
BEA Systems WebLogic Server for Win32 7.0 .0.1
BEA Systems WebLogic Server for Win32 7.0 SP 1
BEA Systems WebLogic Server for Win32 7.0

Not vulnerable:
BEA Systems Weblogic Server 7.0 .0.1 SP 2
BEA Systems Weblogic Server 7.0 SP 2


Solution:

Fixes and updates are available:

BEA Systems Upgrade WebLogic Server 7.0.0.1 SP2
http://commerce.beasys.com/downloads/weblogic_server.jsp#wls

BEA Systems Upgrade WebLogic Server 7.0.0.1 SP2
http://commerce.beasys.com/downloads/weblogic_server.jsp#wls

BEA Systems Upgrade WebLogic Server 7.0 SP2
http://commerce.beasys.com/downloads/weblogic_server.jsp#wls

BEA Systems Upgrade WebLogic Server 7.0 SP2
http://commerce.beasys.com/downloads/weblogic_server.jsp#wls


Sources:
BEA advisory:
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-27.jsp


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »