Vulnerabilities > CVE-2004-1757 - Unspecified vulnerability in BEA Weblogic Server 6.1/7.0/8.1
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN bea
nessus
Summary
BEA WebLogic Server and Express 8.1, SP1 and earlier, stores the administrator password in cleartext in config.xml, which allows local users to gain privileges.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 46 |
Nessus
| NASL family | CGI abuses |
| NASL id | BEA_PASSWORD.NASL |
| description | The remote web server is running WebLogic. BEA WebLogic Server and WebLogic Express are reportedly may allow disclosure of Operator or Admin passwords. An attacker who has interactive access to the affected managed server may potentially exploit this issue in a timed attack to harvest credentials when the managed server fails during the boot process. |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 12043 |
| published | 2004-02-05 |
| reporter | This script is Copyright (C) 2004-2018 Astharot |
| source | https://www.tenable.com/plugins/nessus/12043 |
| title | BEA WebLogic config.xml Operator/Admin Password Disclosure |
| code | |
References
- http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_50.00.jsp
- http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_50.00.jsp
- http://secunia.com/advisories/10728
- http://secunia.com/advisories/10728
- http://www.kb.cert.org/vuls/id/350350
- http://www.kb.cert.org/vuls/id/350350
- http://www.securityfocus.com/bid/9501
- http://www.securityfocus.com/bid/9501
- https://exchange.xforce.ibmcloud.com/vulnerabilities/14957
- https://exchange.xforce.ibmcloud.com/vulnerabilities/14957