Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BEA Weblogic pentest

From: Christine Kronberg <seeker () shalla de>
Date: Sun, 25 Feb 2007 11:54:57 +0100 (CET)

  Hi Dieter,



In pentesting a customer web application, I discovered a weakness in
the BEA WebLogic Server Administration console appears to be available
over the public network.  This is BEA WebLogic Server 8.1.

Do any folks have tips, suggestions, or checklist for things to check
against this page or BEA WebLogic?  I have tried brute forcing the
login page which will lock out the administrators, and I don't know
the usernames yet.  I have tested for default BEA passwords but
nothing.


  I strongly suggest to take a look at the documentation at
  edocs.bea.com/wls/docs81/index.html.
  They have a good explanation on what to do to make BEA
  Weblogic secure. This gives some good hints what to check,
  i.e. check if the nodemanager is running, the servlet servlet
  is enabled or disabled, ... .


This PeopleSoft web application runs on WebLogic Server 8.1.


  AFAIK the BEA in PeopleSoft is embedded into the application.
  I'm not sure how much is changed.

  Cheers,

  Christine Kronberg.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: