exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ACROS Security Problem Report 2005-05-24.2

ACROS Security Problem Report 2005-05-24.2
Posted Aug 14, 2005
Authored by Mitja Kolsek, ACROS Security | Site acrossecurity.com

WebLogic Server and WebLogic Express, Service Pack 4, suffer from an HTML injection vulnerability.

tags | advisory
SHA-256 | 4e1a06fc9b94d88a2cec7ac59f0f8068f2d468c16b54bafaf9f0330407427003

ACROS Security Problem Report 2005-05-24.2

Change Mirror Download
=====[BEGIN-ACROS-REPORT]=====

PUBLIC

=========================================================================
ACROS Security Problem Report #2005-05-24-2
-------------------------------------------------------------------------
ASPR #2005-05-24-2: HTML Injection in BEA WebLogic Server Console (2)
=========================================================================

Document ID: ASPR #2005-05-24-2-PUB
Vendor: BEA Systems (http://www.bea.com)
Target: WebLogic Server and WebLogic Express, Service Pack 4
Impact: An HTML injection vulnerability exists in WebLogic
Server Console, enabling attackers to hijack
administrative sessions using cross site scripting
Severity: High
Status: Official patch available, workarounds available
Discovered by: Mitja Kolsek of ACROS Security

Current version
http://www.acrossecurity.com/aspr/ASPR-2005-05-24-2-PUB.txt


Summary
=======

There is a vulnerability in WebLogic Server Console login page that
allows the attacker to assume administrator's identity and thus gain
administrative access to Server Console. It is possible to inject
malicious JavaScript in the login page so that when administrator logs in,
his username and password are silently transmitted to attacker's web
server.


Product Coverage
================

- WebLogic Server 8.1, Service Pack 4 - affected
- WebLogic Server 7.0, Service Pack 2 - not affected
- WebLogic Express 7.0, Service Pack 6 - affected

Older versions are likely to be affected as well.


Analysis
========

Cross site scripting is a very common problem with web-based applications.
Basically it is present whenever the server is willing to include user's
input data, which contains some client-side script (e.g. JavaScript), back
to the browser unsanitized, somewhere within the generated web page. This
script, when executed, has access to all information within and about the
received web page, including the cookies.

The main differentiator of this particular vulnerability is that the
attacker need not trick the administrator into visiting a malicious web
site while being in an administrative session. Furthermore, in contrast to
other cross-site scripting vulnerabilities, this vulnerability allows the
attacker to also obtain administrator's username and password - and not
"only" his session identifier (ADMINCONSOLESESSION).


Solution
========

BEA Systems has issued a security bulletin [1] and published a patch
which fixes this issue.


Workaround
==========

- Always close all browser instances/windows and delete all cookies before
logging in to WebLogic Server Console.


References
==========

[1] BEA Systems Security Advisory BEA05-80.00
http://dev2dev.bea.com/pub/advisory/130


Acknowledgments
===============

We would like to acknowledge Gordon Engel of BEA Systems for extremely
diligent and professional handling of the identified vulnerability.


Contact
=======

ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: security@acrossecurity.com
web: http://www.acrossecurity.com
phone: +386 2 3000 280
fax: +386 2 3000 282

ACROS Security PGP Key
http://www.acrossecurity.com/pgpkey.asc
[Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories
http://www.acrossecurity.com/advisories.htm

ACROS Security Papers
http://www.acrossecurity.com/papers.htm

ASPR Notification and Publishing Policy
http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm


Disclaimer
==========

The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.


Revision History
================

May 24, 2005: Initial release


Copyright
=========

(c) 2005 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

=====[END-ACROS-REPORT]=====

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close