NI3
10-30-2003, 06:58 PM
TITLE:
BEA Tuxedo and WebLogic Enterprise Administration Console
Vulnerability
SECUNIA ADVISORY ID:
SA10106
VERIFY ADVISORY:
[Only registered and activated users can see links]
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting, Exposure of system information, DoS
WHERE:
From remote
SOFTWARE:
BEA Tuxedo 6.x
BEA Tuxedo 7.x
BEA Tuxedo 8.x
BEA WebLogic Enterprise 4.x
BEA WebLogic Enterprise 5.x
DESCRIPTION:
A vulnerability has been reported in BEA Tuxedo and WebLogic
Enterprise, which can be exploited by malicious people to conduct
Cross-Site Scripting attacks, cause a DoS (Denial of Service) or
determine the existence of files.
The vulnerability is caused due to the Administration Console CGI
script not validating startup arguments like the path to the
initialisation file.
The following products are affected:
* Tuxedo 8.1
* Tuxedo 8.0
* Tuxedo 7.1
* Tuxedo 6.5
* Tuxedo 6.4
* Tuxedo 6.3
* WebLogic Enterprise 5.1
* WebLogic Enterprise 5.0.1
* WebLogic Enterprise 4.2
SOLUTION:
Restrict access to the Administration Console and apply patch.
Tuxedo 8.1:
Apply Rolling Patch 62 or later from BEA Customer Support.
REPORTED BY / CREDITS:
Corsaire Limited
ORIGINAL ADVISORY:
[Only registered and activated users can see links]
BEA Tuxedo and WebLogic Enterprise Administration Console
Vulnerability
SECUNIA ADVISORY ID:
SA10106
VERIFY ADVISORY:
[Only registered and activated users can see links]
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting, Exposure of system information, DoS
WHERE:
From remote
SOFTWARE:
BEA Tuxedo 6.x
BEA Tuxedo 7.x
BEA Tuxedo 8.x
BEA WebLogic Enterprise 4.x
BEA WebLogic Enterprise 5.x
DESCRIPTION:
A vulnerability has been reported in BEA Tuxedo and WebLogic
Enterprise, which can be exploited by malicious people to conduct
Cross-Site Scripting attacks, cause a DoS (Denial of Service) or
determine the existence of files.
The vulnerability is caused due to the Administration Console CGI
script not validating startup arguments like the path to the
initialisation file.
The following products are affected:
* Tuxedo 8.1
* Tuxedo 8.0
* Tuxedo 7.1
* Tuxedo 6.5
* Tuxedo 6.4
* Tuxedo 6.3
* WebLogic Enterprise 5.1
* WebLogic Enterprise 5.0.1
* WebLogic Enterprise 4.2
SOLUTION:
Restrict access to the Administration Console and apply patch.
Tuxedo 8.1:
Apply Rolling Patch 62 or later from BEA Customer Support.
REPORTED BY / CREDITS:
Corsaire Limited
ORIGINAL ADVISORY:
[Only registered and activated users can see links]