=====[BEGIN-ACROS-REPORT]===== PUBLIC ========================================================================= ACROS Security Problem Report #2005-05-24-2 ------------------------------------------------------------------------- ASPR #2005-05-24-2: HTML Injection in BEA WebLogic Server Console (2) ========================================================================= Document ID: ASPR #2005-05-24-2-PUB Vendor: BEA Systems (http://www.bea.com) Target: WebLogic Server and WebLogic Express, Service Pack 4 Impact: An HTML injection vulnerability exists in WebLogic Server Console, enabling attackers to hijack administrative sessions using cross site scripting Severity: High Status: Official patch available, workarounds available Discovered by: Mitja Kolsek of ACROS Security Current version http://www.acrossecurity.com/aspr/ASPR-2005-05-24-2-PUB.txt Summary ======= There is a vulnerability in WebLogic Server Console login page that allows the attacker to assume administrator's identity and thus gain administrative access to Server Console. It is possible to inject malicious JavaScript in the login page so that when administrator logs in, his username and password are silently transmitted to attacker's web server. Product Coverage ================ - WebLogic Server 8.1, Service Pack 4 - affected - WebLogic Server 7.0, Service Pack 2 - not affected - WebLogic Express 7.0, Service Pack 6 - affected Older versions are likely to be affected as well. Analysis ======== Cross site scripting is a very common problem with web-based applications. Basically it is present whenever the server is willing to include user's input data, which contains some client-side script (e.g. JavaScript), back to the browser unsanitized, somewhere within the generated web page. This script, when executed, has access to all information within and about the received web page, including the cookies. The main differentiator of this particular vulnerability is that the attacker need not trick the administrator into visiting a malicious web site while being in an administrative session. Furthermore, in contrast to other cross-site scripting vulnerabilities, this vulnerability allows the attacker to also obtain administrator's username and password - and not "only" his session identifier (ADMINCONSOLESESSION). Solution ======== BEA Systems has issued a security bulletin [1] and published a patch which fixes this issue. Workaround ========== - Always close all browser instances/windows and delete all cookies before logging in to WebLogic Server Console. References ========== [1] BEA Systems Security Advisory BEA05-80.00 http://dev2dev.bea.com/pub/advisory/130 Acknowledgments =============== We would like to acknowledge Gordon Engel of BEA Systems for extremely diligent and professional handling of the identified vulnerability. Contact ======= ACROS d.o.o. Makedonska ulica 113 SI - 2000 Maribor e-mail: security@acrossecurity.com web: http://www.acrossecurity.com phone: +386 2 3000 280 fax: +386 2 3000 282 ACROS Security PGP Key http://www.acrossecurity.com/pgpkey.asc [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD] ACROS Security Advisories http://www.acrossecurity.com/advisories.htm ACROS Security Papers http://www.acrossecurity.com/papers.htm ASPR Notification and Publishing Policy http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm Disclaimer ========== The content of this report is purely informational and meant only for the purpose of education and protection. ACROS d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. All identifiers (hostnames, IP addresses, company names, individual names etc.) used in examples and demonstrations are used only for explanatory purposes and have no connection with any real host, company or individual. In no event should it be assumed that use of these names means specific hosts, companies or individuals are vulnerable to any attacks nor does it mean that they consent to being used in any vulnerability tests. The use of information in this report is entirely at user's risk. Revision History ================ May 24, 2005: Initial release Copyright ========= (c) 2005 ACROS d.o.o. Forwarding and publishing of this document is permitted providing the content between "[BEGIN-ACROS-REPORT]" and "[END-ACROS-REPORT]" marks remains unchanged. =====[END-ACROS-REPORT]=====