WebLogic Displays Source Code
Reported July 28, 2000 by Foundstone

  • BEA Systems WebLogic Enterprise 5.1.x
  • BEA Systems WebLogic Server Express 4.5.X and 5.1.x


    WebLogic can be caused to display source code by using specific syntax to invoke the SSIServlet or FileServlet applications, which ship as part of the platform.


    If a site has a URL, such as that shown in Figure 1 then its source can be displayed by using the URL as seen in Figure 2:

    Figure 1: http://site.running.weblogic/login.jsp

    Figure 2: http://site.running.weblogic/*.shtml/login.jsp

    In addition, by prefixing a URL with the /ConsoleHelp/ path, a file's source code will be displayed. For example, the source code within a file at the URL seen in Figure 3 can be viewed by accessing it via the modified URL seen in Figure 4:

    Figure 3: http://site.running.weblogic/login.jsp

    Figure 4: http://site.running.weblogic/ConsoleHelp/login.jsp


    BEA System released a patch for the problem, available by contacting their support staff.

    Discovered by Foundstone