BEA Weblogic pentest

To:	pen-test@securityfocus.com
Subject:	BEA Weblogic pentest
From:	Dieter <dieterlot@gmail.com>
Date:	Thu, 22 Feb 2007 12:43:45 -0600
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	pentest-list2@consult.net
Delivered-to:	mailing list pen-test@securityfocus.com
Delivered-to:	moderator for pen-test@securityfocus.com
Dkim-signature:	a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ng3YdqM/YErEqA+WLGmXm4KlvRW9MurYQb8c0gF2CC6hf2XuRyhVrW51fYUNGB8xM/CVJpghsUrhGjnZez3SSIt3zjNrVukR8QGiJ2E5ow5qKnkFosEqOVFkPTM7eymCvbPGyLh8eR51/zbkpGcvKCu63khHRhUBrBLdi8aLU5w=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=aIoffNDwORadrXuaXBEMeyORNZNLZAWaKAHl1tV+bz67RBalceBIvxe5EMgYAzNUSRb2mqc+oxD9akx7/J4FXqUth1s4Gr0bYP/Oo+K8gaM9mwmpWo2bMXlf2mX/e+2GNqJfAKvzz++3fXeK3zwtXI8gCkafKqD6KlO741A1SjA=
List-help:	<mailto:pen-test-help@securityfocus.com>
List-id:	<pen-test.list-id.securityfocus.com>
List-post:	<mailto:pen-test@securityfocus.com>
List-subscribe:	<mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list:	contact pen-test-help@securityfocus.com; run by ezmlm
Resent-date:	Fri, 23 Feb 2007 19:32:44 -0700 (MST)
Resent-from:	pen-test-return-1078483615@securityfocus.com
Resent-message-id:	<20070224023244.0503914B0FA@outgoing2.securityfocus.com>
Resent-sender:	listbounce@securityfocus.com
Sender:	listbounce@securityfocus.com

Hallo list,

In pentesting a customer web application, I discovered a weakness in
the BEA WebLogic Server Administration console appears to be available
over the public network.  This is BEA WebLogic Server 8.1.

Do any folks have tips, suggestions, or checklist for things to check
against this page or BEA WebLogic?  I have tried brute forcing the
login page which will lock out the administrators, and I don't know
the usernames yet.  I have tested for default BEA passwords but
nothing.

This PeopleSoft web application runs on WebLogic Server 8.1.

Thank you, Dieter

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
BEA Weblogic pentest, Dieter <= Re: BEA Weblogic pentest, Christine Kronberg RE: BEA Weblogic pentest, Darren Webb Re: BEA Weblogic pentest, Dio Pol RE: BEA Weblogic pentest, Levenglick, Jeff

Previous by Date:	Penetration Testing Framework 0.24 released, toggmeister
Next by Date:	Re: Any suggests about a possible LRE (local root escalation), Florian Rommel
Previous by Thread:	Penetration Testing Framework 0.24 released, toggmeister
Next by Thread:	Re: BEA Weblogic pentest, Christine Kronberg
Indexes:	[Date] [Thread] [Top] [All Lists]