exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ACROS Security Problem Report 2005-05-24.1

ACROS Security Problem Report 2005-05-24.1
Posted Aug 14, 2005
Authored by Mitja Kolsek, ACROS Security | Site acrossecurity.com

WebLogic Server and WebLogic Express, Service Pack 4, are susceptible to cross site scripting flaws.

tags | advisory, xss
SHA-256 | 2619b3310f3c47e89eec1626a229bb5d830f5decc8011308daf41b04d6db1c6a

ACROS Security Problem Report 2005-05-24.1

Change Mirror Download
=====[BEGIN-ACROS-REPORT]=====

PUBLIC

=========================================================================
ACROS Security Problem Report #2005-05-24-1
-------------------------------------------------------------------------
ASPR #2005-05-24-1: HTML Injection in BEA WebLogic Server Console (1)
=========================================================================

Document ID: ASPR #2005-05-24-1-PUB
Vendor: BEA Systems (http://www.bea.com)
Target: WebLogic Server and WebLogic Express, Service Pack 4
Impact: An HTML injection vulnerability exists in WebLogic
Server Console, enabling attackers to hijack
administrative sessions using cross site scripting
Severity: High
Status: Official patch available, workarounds available
Discovered by: Mitja Kolsek of ACROS Security

Current version
http://www.acrossecurity.com/aspr/ASPR-2005-05-24-1-PUB.txt


Summary
=======

There is an HTML Injection vulnerability in WebLogic Server and WebLogic
Express Server Console that allows the attacker to assume administrator's
identity and thus gain administrative access to Server Console. It is
possible to craft such URL that will, when requested from WebLogic server,
return a document with arbitrarily chosen HTML injected. An obvious
(mis)use for this type of vulnerability is cross-site scripting that can
be used, among other things, for obtaining administrative session cookies
from WebLogic administrators. These cookies, when stolen, provide the
attacker with administrative access to WebLogic Server Console,
compromising the security of entire web server.


Product Coverage
================

- WebLogic Server 8.1, Service Pack 4 - affected
- WebLogic Express 7.0, Service Pack 6 - affected

Older versions are likely to be affected as well.


Analysis
========

Cross site scripting is a very common problem with web-based applications.
Basically it is present whenever the server is willing to include user's
input data, which contains some client-side script (e.g. JavaScript), back
to the browser unsanitized, somewhere within the generated web page. This
script, when executed, has access to all information within and about the
received web page, including the cookies.

WebLogic Server Console employs an ADMINCONSOLESESSION session cookie for
administrative session maintenance. After administrator's initial
connection to the Server Console, WebLogic server generates a unique
session identifier (session ID) and sends it to administrator's browser as
a cookie named ADMINCONSOLESESSION. This session ID effectively becomes a
static password for the session, meaning that until the session times out
or is closed by the logged in administrator (by logging off), any browser
with access to port 7001/7002 of WebLogic server and knowledge of the
session ID will have access to this session, and thereby access to
administration of WebLogic application server.


Mitigating Factors
==================

1) Attacker must lure the WebLogic administrator into visiting a hostile
web site while he (admin) has an authenticated session with the
WebLogic Server Console.


Solution
========

BEA Systems has issued a security bulletin [1] and published a patch
which fixes this issue.


Workaround
==========

- Don't browse around or read HTML e-mail while administering WebLogic
server.
- Always close all browser instances/windows before logging in to
WebLogic Server Console.


References
==========

[1] BEA Systems Security Advisory BEA05-80.00
http://dev2dev.bea.com/pub/advisory/130


Acknowledgments
===============

We would like to acknowledge Gordon Engel of BEA Systems for extremely
diligent and professional handling of the identified vulnerability.


Contact
=======

ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: security@acrossecurity.com
web: http://www.acrossecurity.com
phone: +386 2 3000 280
fax: +386 2 3000 282

ACROS Security PGP Key
http://www.acrossecurity.com/pgpkey.asc
[Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories
http://www.acrossecurity.com/advisories.htm

ACROS Security Papers
http://www.acrossecurity.com/papers.htm

ASPR Notification and Publishing Policy
http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm


Disclaimer
==========

The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.


Revision History
================

May 24, 2005: Initial release


Copyright
=========

(c) 2005 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

=====[END-ACROS-REPORT]=====

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close