what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ACROS Security Problem Report 2009-10-30.1

ACROS Security Problem Report 2009-10-30.1
Posted Nov 3, 2009
Authored by ACROS Security | Site acrossecurity.com

ACROS Security Problem Report #2009-10-30-1 - There is an HTML Injection vulnerability in the WebLogic server version 10.3 administration console that allows the attacker to gain administrative access to the server.

tags | advisory
SHA-256 | afb874f67261c2f5e3869658a0249ee9cea2ebb6a0e437486664f71a9744d1c9

ACROS Security Problem Report 2009-10-30.1

Change Mirror Download


ACROS Security Problem Report #2009-10-30-1
ASPR #2009-10-30-1: HTML Injection in Oracle WebLogic Server Console

Document ID: ASPR #2009-10-30-1-PUB
Vendor: Oracle (http://www.oracle.com)
Target: Oracle WebLogic Server 10.3
Impact: There is an HTML Injection vulnerability in WebLogic
Server 10.3 Administration Console that allows the
attacker to gain administrative access to the server.
Severity: High
Status: Official patch available, workarounds available
Discovered by: Luka Treiber of ACROS Security

Current version


There is an HTML Injection vulnerability in WebLogic Server 10.3
Administration Console that allows the attacker to gain administrative
access to the server. It is possible to craft such URL that will, when
requested from the server, return a document with arbitrarily chosen HTML
injected. An obvious use for this type of vulnerability is cross-site
scripting that can be used, among other things, for obtaining session
cookies from WebLogic administrators. These cookies, when stolen, provide
the attacker with administrative access to WebLogic Administration
Console, compromising the security of the entire web server.

This vulnerability is exploitable even if the Administration Console is
only being accessed via HTTPS, and even if the Administrative Port is

Product Coverage

- WebLogic Server 10.3

Note: Our tests were only performed on the above product version. Other
versions may or may not be affected.


Some URL argument in the WebLogic Server 10.3 Administration Console is
not properly sanitized against HTML injection, which allows the attacker
to introduce additional, malicious HTML to the server's response. The
most common type of HTML injection is injection of malicious client-side
script, commonly known as cross-site scripting.

In an actual attack the user would not be required to open URLs specified
by the attacker. Instead, a malicious web page visited by the logged-in
WebLogic administrator would mount the entire attack automatically and
covertly. For instance, a tiny 0x0 pixel iframe could be used for loading
the URL from the demonstration immediately upon administrator's visit to
the malicious page, injecting the malicious script to the WebLogic
server's response. This malicious script would then silently send these
cookies to the attacker's server, where she could pick them up and use
them for entering the administrator's session in the Administration

Mitigating Factors

- In order to execute the above attack, the attacker would need to make
the administrator's browser visit a malicious web page while the
administrator is logged into the Administration Console. This can be
achieved using social engineering, network traffic modification or a
combination of both.

- If the attacker manages to obtain a valid ADMINCONSOLESESSION cookie
(and optionally _WL_AUTHCOOKIE_ADMINCONSOLESESSION cookie), these will
only be useful until the administrator logs out of the Administration
Console. However, the attacker knowing that might rush to create a new
administrative user in the console and use that user for WebLogic
administration after the legitimate administrator has logged off.


Oracle has issued a security bulletin [1] and published a patch which
fixes this issue.


- The WebLogic Administration Console can be disabled, which would
neutralize this vulnerability.


[1] Oracle Critical Patch Update Advisory - October 2009


We would like to acknowledge Oracle Corporation for
professional handling of the identified vulnerability.


ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: security@acrossecurity.com
web: http://www.acrossecurity.com
phone: +386 2 3000 280
fax: +386 2 3000 282

ACROS Security PGP Key
[Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories

ACROS Security Papers

ASPR Notification and Publishing Policy


The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.

Revision History

October 30, 2009: Initial release


(c) 2009 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By