BEA Systems WebLogic Server and Express 7.0 - Null Character Denial of Service

EDB-ID:

21432

CVE:

2002-0106

EDB Verified:

Author:

Peter Gründl

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2002-04-30

Vulnerable App: 
source: https://www.securityfocus.com/bid/4646/info

BEA Systems WebLogic Server is an enterprise level web and wireless application server for Microsoft Windows and most Unix and Linux distributions.

BEA WebLogic Express provides a platform for serving dynamic data to web and wireless applications.

It is possible to create a denial of service condition by appending a null character to a request for a MS-DOS device name (such as AUX). Multiple malformed requests will cause the server to hang.

BugTraq ID 3816 "BEA Systems WebLogic Server DOS Device Denial of Service Vulnerability" describes a similar condition, which was fixed in WebLogic Server 6.1 SP2. However, the null character variation of this attack affects systems running WebLogic Server 6.1 SP2.

The server must be restarted to regain normal functionality. 

This issue may be exploited with a web browser. For example:

http://target//aux%00
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services