漏洞类别:Web server漏洞等级: 
漏洞信息
BEA Systems WebLogic Server is an enterprise-level Web and wireless application server.
BEA incorrectly handles .jsp and .jhtml files, allowing remote compilation and execution of jsp code.
When the deployment environment is not properly locked down, a user may have inappropriate write access to the Web document root directory. This user could knowingly or unknowingly execute a malicious application that may insert executable code in JSP or JHTML files residing in the Web document root directory. This causes BEA WebLogic Server and Express servlet handlers to compile and execute the extraneous code.
漏洞危害
By exploiting this vulnerability, an attacker can gain administrative control of the operating system or application server. Also, unauthorized information obtained by the attacker may be used to further compromise the host.
解决方案
Lockdown your WebLogic Server deployment and prevent inappropriate write access to the Web document root directory, following the instructions on BEA WebLogic Server's Web site.
Alternatively, upgrade to the latest version of WebLogic Server, which is available for download from the BEA Systems Products page
0day
文章评论