pen-test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: BEA Weblogic pentest

from [Darren Webb] [Permanent Link][Original]
To: "'Christine Kronberg'" <seeker@shalla.de>, "'Dieter'" <dieterlot@gmail.com>
Subject: RE: BEA Weblogic pentest
From: "Darren Webb" <spyder007@charter.net>
Date: Tue, 27 Feb 2007 17:37:06 -0600
Cc: <pen-test@securityfocus.com>
Delivered-to: sp-com-lists@consult.net
Delivered-to: pentest-list2@consult.net
Delivered-to: mailing list pen-test@securityfocus.com
Delivered-to: moderator for pen-test@securityfocus.com
In-reply-to: <Pine.LNX.4.64.0702251138060.17776@shalla.de>
List-help: <mailto:pen-test-help@securityfocus.com>
List-id: <pen-test.list-id.securityfocus.com>
List-post: <mailto:pen-test@securityfocus.com>
List-subscribe: <mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list: contact pen-test-help@securityfocus.com; run by ezmlm
References: <2dfae2010702221043wcb920d8xd09d9c75a499df0b@mail.gmail.com> <Pine.LNX.4.64.0702251138060.17776@shalla.de>
Resent-date: Wed, 28 Feb 2007 09:35:48 -0700 (MST)
Resent-from: pen-test-return-1078483658@securityfocus.com
Resent-message-id: <20070228163548.B34B92370B1@outgoing3.securityfocus.com>
Resent-sender: listbounce@securityfocus.com
Sender: listbounce@securityfocus.com
Thread-index: AcdZ9zaHf7TFrj/8QHePoeA0RhhHyAAzv6uA 
Hello,

Christine is right. BEA Weblogic is integrated into the PeopleSoft
application. In this scenario, if you found something in BEA Weblogic that
that has issues and needs to upgraded, the patch/fix has to be tested and
approved by PeopleSoft first (in our case, it was a full PeopleSoft upgrade
that fixed the problems).  

Darren 

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Christine Kronberg
Sent: Sunday, February 25, 2007 4:55 AM
To: Dieter
Cc: pen-test@securityfocus.com
Subject: Re: BEA Weblogic pentest


   Hi Dieter,


> In pentesting a customer web application, I discovered a weakness in 
> the BEA WebLogic Server Administration console appears to be available 
> over the public network.  This is BEA WebLogic Server 8.1.
>
> Do any folks have tips, suggestions, or checklist for things to check 
> against this page or BEA WebLogic?  I have tried brute forcing the 
> login page which will lock out the administrators, and I don't know 
> the usernames yet.  I have tested for default BEA passwords but 
> nothing.

   I strongly suggest to take a look at the documentation at
   edocs.bea.com/wls/docs81/index.html.
   They have a good explanation on what to do to make BEA
   Weblogic secure. This gives some good hints what to check,
   i.e. check if the nodemanager is running, the servlet servlet
   is enabled or disabled, ... .

> This PeopleSoft web application runs on WebLogic Server 8.1.

   AFAIK the BEA in PeopleSoft is embedded into the application.
   I'm not sure how much is changed.

   Cheers,

   Christine Kronberg.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=70160000
0008bOW
------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Firewall config analysis, Sachin Ghodkhande
Next by Date:  RE: Pen Testing Company and Legal Documentation, Fontanez Martin
Previous by Thread:  Re: BEA Weblogic pentest, Christine Kronberg
Next by Thread:  Re: BEA Weblogic pentest, Dio Pol
Indexes:  [Date] [Thread] [Top] [All Lists]