CVE-2008-0901 Information

Description

BEA WebLogic Server and Express 7.0 through 10.0 allows remote attackers to conduct brute force password guessing attacks even when account lockout has been activated via crafted URLs that indicate whether a guessed password is successful or not.

Reference

http://dev2dev.bea.com/pub/advisory/271 http://secunia.com/advisories/29041 http://www.s21sec.com/avisos/s21sec-040-en.txt http://www.securityfocus.com/archive/1/488686/100/0/threaded http://www.securitytracker.com/id?1019449 http://www.vupen.com/english/advisories/2008/0612/references