Searching servlet software vulnerabilities

The default configuration of the Sun Java web s

configuration | arbitrary | attackers | boardhtml | uploading | commands | compiler | directly | earlier | default | calling | execute | servlet | remote | server | allows | then | Java | code | JSP | web | Sun | via |

The default configuration of the Sun Java web server 2.0 and earlier allows remote attackers to execute arbitrary commands by uploading Java code to the server via board.html, then directly calling the JSP compiler servlet.


The Snoop servlet in Jakarta Tomcat 3.1 and 3.0

information | nonexistent | sensitive | extension | attacker | requests | servlet | Jakarta | reveals | remote | Tomcat | Apache | system | Snoop | under | snp | URL |

The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension.


The sample Java servlet "test" in Bajie HTTP we

pathname | document | reveals | servlet | server | sample | "test" | Bajie | real | HTTP | Java | 030a | root | web |

The sample Java servlet "test" in Bajie HTTP web server 0.30a reveals the real pathname of the web document root.


The administration module in Sun Java web serve

comsunserverhttppagecompilejsp92JspServlet | administration | requesting | arbitrary | attackers | /servlet/ | uploading | commands | execute | invoke | module | begins | remote | allows | server | Java | code | web | tag | URL | Sun |

The administration module in Sun Java web server allows remote attackers to execute arbitrary commands by uploading Java code to the module and invoke the com.sun.server.http.pagecompile.jsp92.JspServlet by requesting a URL that begins with a /servlet/ tag.


Allaire JRun 2.3 server allows remote attackers

executable | attackers | SSIFilter | directly | content | Allaire | servlet | calling | remote | allows | server | source | obtain | JRun | code |

Allaire JRun 2.3 server allows remote attackers to obtain source code for executable content by directly calling the SSIFilter servlet.


Allaire JRun 2.3.3 server allows remote attacke

Allaire | JRun |

Allaire JRun 2.3.3 server allows remote attackers to compile and execute JSP code by inserting it via a cross-site scripting (CSS) attack and directly calling the com.livesoftware.jrun.plugins.JSP JSP servlet.


BEA Systems WebLogic Express and WebLogic Serve

restricted | attackers | controls | multiple | WebLogic | SP1-SP6 | Systems | Express | servlet | access | allows | Server | bypass | remote | pages | URL | BEA | JSP | via |

BEA Systems WebLogic Express and WebLogic Server 5.1 SP1-SP6 allows remote attackers to bypass access controls for restricted JSP or servlet pages via a URL with multiple / (forward slash) characters before the restricted pages.


UploadServlet in Bajie HTTP JServer 0.78 allows

UploadServlet | JServer | Bajie | HTTP |

UploadServlet in Bajie HTTP JServer 0.78 allows remote attackers to execute arbitrary commands by calling the servlet to upload a program, then using a ... (modified ..) to access the file that was created for the program.


Novell Groupwise 5.5 and 6.0 Servlet Gateway is

privileges | installed | attackers | Groupwise | username | password | manager | Servlet | default | Gateway | Novell | remote | allows | which | gain |

Novell Groupwise 5.5 and 6.0 Servlet Gateway is installed with a default username and password for the servlet manager, which allows remote attackers to gain privileges.


Directory traversal vulnerability in Novell Gro

/servlet/webaccUserhtml= | vulnerability | attackers | arbitrary | GroupWise | traversal | Directory | contains | request | allows | Novell | remote | files | read | "/" | via |

Directory traversal vulnerability in Novell GroupWise 5.5 and 6.0 allows remote attackers to read arbitrary files via a request for /servlet/webacc?User.html= that contains "../" (dot dot) sequences and a null character.


Unknown vulnerability in Tomcat 3.2.1 running o

vulnerability | Unknown | Tomcat |

Unknown vulnerability in Tomcat 3.2.1 running on HP Secure OS for Linux 1.0 allows attackers to access servlet resources. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this issue is already covered by other CVE identifiers.


The default configuration of Oracle 9i Applicat

authentication | configuration | Application | Monitoring | anonymous | sensitive | including | services | without | Dynamic | default | Server | Oracle | access | allows | remote | users | 102x |

The default configuration of Oracle 9i Application Server 1.0.2.x allows remote anonymous users to access sensitive services without authentication, including Dynamic Monitoring Services (1) dms0, (2) dms/DMSDump, (3) servlet/DMSDump, (4) servlet/Spy, (5) soap/servlet/Spy, and (6) dms/AggreSpy; and Oracle Java Process Manager (7) oprocmgr-status and (8) oprocmgr-service, which can be used to control Java processes.


Oracle Configurator before 11.5.7.17.32 and 11.

Configurator | before | Oracle |

Oracle Configurator before 11.5.7.17.32 and 11.5.6.16.53 allows remote attackers to obtain sensitive information via a request to the oracle.apps.cz.servlet.UiServlet servlet with the test parameter set to "version" or "host".


An undocumented extension for the Servlet mappi

specification | undocumented | upgrading | extension | WebLogic | mappings | Service | through | Express | Servlet | Server | Pack | BEA |

An undocumented extension for the Servlet mappings in the Servlet 2.3 specification, when upgrading to WebLogic Server and Express 7.0 Service Pack 1 from BEA WebLogic Server and Express 6.0 through 7.0.0.1, does not prepend a "/" character in certain URL patterns, which prevents the proper enforcement of role mappings and policies in applications that use the extension.


BEA WebLogic Server and WebLogic Express 8.1 SP

"constrain" | properly | WebLogic | earlier | Express | Server | BEA | "/" | SP3 | SP5 | not |

BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier, and 7.0 SP5 and earlier, do not properly "constrain" a "/" (slash) servlet root URL pattern, which might allow remote attackers to bypass intended servlet protections.


BEA WebLogic Server and WebLogic Express 8.1 SP

fullyDelegatedAuthorization | authorization | deployment | protected" | providers | WebLogic | failures | servlet | prevent | Express | earlier | enabled | "fully | Server | being | might | which | cause | occur | does | role | fail | SP3 | BEA | not | SP5 |

BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier, and 7.0 SP5 and earlier, when fullyDelegatedAuthorization is enabled for a servlet, does not cause servlet deployment to fail when failures occur in authorization or role providers, which might prevent the servlet from being "fully protected."


Multiple SQL injection vulnerabilities in Neon

vulnerabilities | injection | Multiple | WebMail | before | Java | Neon | SQL |

Multiple SQL injection vulnerabilities in Neon WebMail for Java before 5.08 allow remote attackers to execute arbitrary SQL commands via the (1) adr_sortkey and (2) adr_sortkey_desc parameters in the (a) addrlist servlet, and the (3) sortkey and (4) sortkey_desc parameters in the (b) maillist servlet.


The Servlet Engine and Web Container in IBM Web

Application | Container | WebSphere | Servlet | Server | Engine | Web | IBM |

The Servlet Engine and Web Container in IBM WebSphere Application Server (WAS) before 6.0.2.17, when ibm-web-ext.xmi sets fileServingEnabled to true and servlet caching is enabled, allows remote attackers to obtain JSP source code and other sensitive information via "specific requests."


Unspecified vulnerability in the Servlet Engine

vulnerability | Application | Unspecified | Engine/Web | WebSphere | Container | Servlet | Server | IBM |

Unspecified vulnerability in the Servlet Engine/Web Container in IBM WebSphere Application Server (WAS) before 6.1.0.7 has unknown impact and attack vectors.


Guidance Software EnCase Enterprise Edition (EE

Enterprise | Software | Guidance | Edition | EnCase |

Guidance Software EnCase Enterprise Edition (EEE) 6 does not properly verify the identity of the acquisition target during communication with the EnCase Servlet (EEE servlet), which might allow remote attackers to spoof the disk image.


Software vulnerabilities results 1 to 20 of 56     
Page: 123