Weblogic Security Issues - Weblogic

This is a discussion on Weblogic Security Issues - Weblogic ; We are running our Web application on Weblogic 5.1 SP12. A security company just audited our web application using its own tool and produced a report that stated the following: 1. URL Trickery may be used to list server directories ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Weblogic Security Issues

  1. Weblogic Security Issues


    We are running our Web application on Weblogic 5.1 SP12. A security company just
    audited our web application using its own tool and produced a report that stated
    the following:


    1. URL Trickery may be used to list server directories thus revealing sensitive
    files. I learned that this problem was fixed in Weblogic server after version
    5.1 SP8. I just wanted to make sure that is the case because I heard from another
    source that it wasn't until version 6.1. If the latter is right then we have
    a problem.

    2. A Hacker may be able to use "Forceful Browsing" and "Forceful Browsing by Direcotry
    Guessing" to gain access to restricted site content.


    3. Parameter Tampering can be used by a hacker by setting a param value out of
    the expected value range or changing that value to one beyond its designated range.


    4. Cross site scripting (Standard Variants) can be used whereby customer session
    and cookies are compromised thereby allowing the attackerto pose as a legitimate
    user to view, alter records, or perfrom transactions as that user.



    The question is: are still issues in 5.1 SP12? If not, can we provide a proof
    of that? If any of those is then what is the workaround/solution/patch required?

    Thanks

    Sammi

  2. Re: Weblogic Security Issues


    "Sami" wrote:
    >
    >We are running our Web application on Weblogic 5.1 SP12. A security company
    >just
    >audited our web application using its own tool and produced a report
    >that stated
    >the following:
    >
    >
    >1. URL Trickery may be used to list server directories thus revealing
    >sensitive
    >files. I learned that this problem was fixed in Weblogic server after
    >version
    >5.1 SP8. I just wanted to make sure that is the case because I heard
    >from another
    >source that it wasn't until version 6.1. If the latter is right then
    >we have
    >a problem.
    >
    >2. A Hacker may be able to use "Forceful Browsing" and "Forceful Browsing
    >by Direcotry
    >Guessing" to gain access to restricted site content.
    >
    >
    >3. Parameter Tampering can be used by a hacker by setting a param value
    >out of
    >the expected value range or changing that value to one beyond its designated
    >range.
    >
    >
    >4. Cross site scripting (Standard Variants) can be used whereby customer
    >session
    >and cookies are compromised thereby allowing the attackerto pose as a
    >legitimate
    >user to view, alter records, or perfrom transactions as that user.
    >
    >
    >
    >The question is: are still issues in 5.1 SP12? If not, can we provide
    >a proof
    >of that? If any of those is then what is the workaround/solution/patch
    >required?
    >
    >Thanks
    >
    >Sammi



    i don't believe some of these issues are necessarily Weblogic issues.



    1 and 2) You should be able to setup error pages such that

    weblogic.httpd.errorPage.xxx=whatever.html



    3 and 4) These are really application architecture and design issues. Eg. If I
    were to setup a parameter in the URL, anyone can change it and the page can display
    different results. And, the issue with the cookies, again an application issue
    as I do not know what you are storing in the local cookies file.


  3. Re: Weblogic Security Issues


    "Sami" wrote in message
    news:3f945d13$1@newsgroups.bea.com...
    >
    >
    > 4. Cross site scripting (Standard Variants) can be used whereby customer

    session
    > and cookies are compromised thereby allowing the attackerto pose as a

    legitimate
    > user to view, alter records, or perfrom transactions as that user.
    >
    >
    >
    > The question is: are still issues in 5.1 SP12? If not, can we provide a

    proof
    > of that? If any of those is then what is the workaround/solution/patch

    required?
    >


    I believe cross site scripting was fixed in sp13.

    http://dev2dev.bea.com/resourcelibra.../SA_BEA03_36.0
    0.jsp



+ Reply to Thread