On Wed, 28 Mar 2001, Przemyslaw Maciuszko wrote:
> We were able to reproduce it on Solaris with Weblogic 5.1 SP8 in a clustered
> Weblogic enviroment.
> So this version IS vulnerable on Solaris.
Replying to myself.
As someone mentioned the combination of Weblogic + iPlanet.
We've tested it on two configurations.
1. Weblogic + iPlanet is vulnerable (iPlanet is parsing the string to
Weblogic and showing the source of .jsp)
2. Weblogic + Apache is NOT vulnerable (Apache show's the compiled jsp not
the source jsp)
So the temporary workaround can be changing from iPlanet to Apache.
--
Przemyslaw Maciuszko
Agora S.A.
