=====[BEGIN-ACROS-REPORT]=====

PUBLIC

=========================================================================
ACROS Security Problem Report #2008-03-11-2
-------------------------------------------------------------------------
ASPR #2008-03-11-2: Session Fixation Vulnerability in WebLogic 
                    Administration Console 
=========================================================================

Document ID:     ASPR #2008-03-11-2-PUB
Vendor:          BEA Systems (http://www.bea.com)
Target:          BEA WebLogic Server 10.0
Impact:          There is a session fixation vulnerability [1] in Bea 
                 WebLogic 10.0 Administration Console that allows the 
                 attacker to assume administrator's identity and thus 
                 gain administrative access to console. 
Severity:        High 
Status:          Official patch available, workarounds available 
Discovered by:   Mitja Kolsek of ACROS Security

Current version 
   http://www.acrossecurity.com/aspr/ASPR-2008-03-11-2-PUB.txt


Summary 
=======

There is a session fixation vulnerability [1] in Bea WebLogic 10.0 
Administration Console that allows the attacker to assume administrator's 
identity and thus gain administrative access to console. The session 
management used for setting up and maintaining administrative sessions 
allows the attacker to fix the administrative session cookie(s) in 
administrator's web browser and use this cookie to access the 
administration console after the administrator has logged into it. The 
vulnerability is exploitable even if the Administration Console is only 
accessed/accessible via HTTPS and even if Administrative Port is enabled.


Product Coverage 
================

- WebLogic Server 10.0

Notes: Our tests were only performed on the above product version. Other 
versions may or may not be affected. 


Analysis 
========

During a recent security analysis of a WebLogic-based application for our 
customer we took a quick look at the WebLogic Administration Console, and 
found it to be vulnerable to a session fixation attack that also works 
through the Administrative Port. This attack, however, is dependent on two 
conditions:

1) The attacker must be (or obtain the identity of) a non-administrative 
WebLogic user; and

2) The WebLogic administrator must login to the Administration Console 
directly through the URL path /console/login/LoginForm.jsp (and not 
through /console or /console/, which are much more likely).

If the attacker fixes authentication cookies on the administrator's 
browser (see [1] for various ways to do that), she effectively "hands 
over" her identity to the administrator. The administrator, having such 
cookies fixed, logs in to the Administration Console and doesn't get any 
new cookies from the Console. This means that his successful 
authentication results in overwriting the state of the session identified 
by the cookies such that this session becomes associated with the 
administrator (and no longer with the attacker's non-administrative user). 
The final result is that the administrator who has just logged in to the 
Administration Console is using the exact same cookies as the attacker, 
therefore the attacker automatically gains access to the administrator's 
session - and obtains administrator's identity.


Solution 
========

BEA Systems has issued a security bulletin [2] and published a patch which 
fixes this issue.


Workaround 
==========

WebLogic administrators can manually delete all cookies in their browsers 
before logging in to the Administration Console.


References
==========

[1] ACROS Security, "Session Fixation Vulnerability in Web-based
    Applications"
    http://www.acrossecurity.com/papers/session_fixation.pdf
    
[2] BEA Systems Security Advisory BEA08-196.00 
    http://dev2dev.bea.com/pub/advisory/270


Acknowledgments
===============

We would like to acknowledge Gordon Engel and Neil Smithline of BEA 
Systems for professional handling of the identified vulnerability.


Contact
=======

ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: security@acrossecurity.com
web:    http://www.acrossecurity.com
phone:  +386 2 3000 280
fax:    +386 2 3000 282

ACROS Security PGP Key
   http://www.acrossecurity.com/pgpkey.asc
   [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories
   http://www.acrossecurity.com/advisories.htm

ACROS Security Papers
   http://www.acrossecurity.com/papers.htm

ASPR Notification and Publishing Policy
   http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm


Disclaimer
==========

The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.


Revision History
================

March 11, 2008: Initial release


Copyright
=========

(c) 2008 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

=====[END-ACROS-REPORT]=====