WebLogic Displays Source Code
Reported July 28, 2000 by Foundstone
- BEA Systems WebLogic Enterprise 5.1.x
WebLogic can be caused to display source code by using specific syntax to invoke the SSIServlet or FileServlet applications, which ship as part of the platform.
If a site has a URL, such as that shown in Figure 1 then its source can be displayed by using the URL as seen in Figure 2:Figure 1: http://site.running.weblogic/login.jsp Figure 2: http://site.running.weblogic/*.shtml/login.jsp
In addition, by prefixing a URL with the /ConsoleHelp/ path, a file's source code will be displayed. For example, the source code within a file at the URL seen in Figure 3 can be viewed by accessing it via the modified URL seen in Figure 4: Figure 3: http://site.running.weblogic/login.jsp Figure 4: http://site.running.weblogic/ConsoleHelp/login.jsp
BEA System released a patch for the problem, available by contacting their support staff.
Discovered by Foundstone