Penetration Testing mailing list archives
RE: BEA Weblogic pentest
From: "Darren Webb" <spyder007 () charter net>
Date: Tue, 27 Feb 2007 17:37:06 -0600
Hello, Christine is right. BEA Weblogic is integrated into the PeopleSoft application. In this scenario, if you found something in BEA Weblogic that that has issues and needs to upgraded, the patch/fix has to be tested and approved by PeopleSoft first (in our case, it was a full PeopleSoft upgrade that fixed the problems). Darren -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Christine Kronberg Sent: Sunday, February 25, 2007 4:55 AM To: Dieter Cc: pen-test () securityfocus com Subject: Re: BEA Weblogic pentest Hi Dieter,
In pentesting a customer web application, I discovered a weakness in the BEA WebLogic Server Administration console appears to be available over the public network. This is BEA WebLogic Server 8.1. Do any folks have tips, suggestions, or checklist for things to check against this page or BEA WebLogic? I have tried brute forcing the login page which will lock out the administrators, and I don't know the usernames yet. I have tested for default BEA passwords but nothing.
I strongly suggest to take a look at the documentation at edocs.bea.com/wls/docs81/index.html. They have a good explanation on what to do to make BEA Weblogic secure. This gives some good hints what to check, i.e. check if the nodemanager is running, the servlet servlet is enabled or disabled, ... .
This PeopleSoft web application runs on WebLogic Server 8.1.
AFAIK the BEA in PeopleSoft is embedded into the application. I'm not sure how much is changed. Cheers, Christine Kronberg. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=70160000 0008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- BEA Weblogic pentest Dieter (Feb 23)
- Re: BEA Weblogic pentest Christine Kronberg (Feb 26)
- RE: BEA Weblogic pentest Darren Webb (Feb 28)
- Re: BEA Weblogic pentest Dio Pol (Feb 26)
- <Possible follow-ups>
- RE: BEA Weblogic pentest Levenglick, Jeff (Feb 28)
- Re: BEA Weblogic pentest Christine Kronberg (Feb 26)