[Full-Disclosure] Corsaire Security Advisory: BEA WebLogic example InteractiveQuery.jsp XSS issue

• Previous message: Tom Koehler: "Re:[Full-Disclosure] stcloader.exe / slmss.exe ??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Fri, 31 Oct 2003 12:08:29 -0000

-- Corsaire Security Advisory --

Title: BEA WebLogic example InteractiveQuery.jsp XSS issue
Date: 04.07.03
Application: BEA WebLogic 8.1 and prior
Environment: Various
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c030704-008

-- Scope --

The aim of this document is to clearly define a vulnerability in the BEA
WebLogic InteractiveQuery.jsp example application, as supplied by BEA
Systems, Inc [1], that would allow an attacker to perform a Cross Site
Scripting (XSS) attack.

-- History --

Vendor notified: 04.07.03
Document released: 31.10.03

-- Overview --

The BEA WebLogic InteractiveQuery.jsp example application can be passed
HTML constructs within arguments. This makes it possible to achieve an
XSS attack, potentially giving access to confidential information, such
as session cookies etc.

-- Analysis --

The BEA WebLogic InteractiveQuery.jsp example application is a CGI
application that demonstrates the use of arguments to query a database.
One of the start-up arguments that it accepts is a name of a person.
This argument does not appear to be tested for formatting and if an
invalid value is passed to the application, the value is simply repeated
back in a results page.

By using a carefully constructed value, mobile code such as JAVA, can be
executed within the users context. This style of attack can be used to
gain access to sensitive information, such as session cookies etc.

-- Proof of concept --

This proof of concept is known to work with a default BEA WebLogic
example installation on a Windows platform. To make it work within
different environments, you may need to alter the path used in the URL
appropriately.

To replicate this issue, initiate a connection to the server that is
hosting the WebLogic application, then use the following URL.

   http://host/examplesWebApp/InteractiveQuery.jsp?
   person=<script>alert('XSS')</script>

This should result in a new page, accompanied by a popup script dialog
containing the message "XSS".

-- Recommendations --

Example applications should never be installed within a production
environment.

Read and follow the advice contained within the BEA supplied advisory on
dealing with XSS issues [2].

The application should be reviewed in line with security best practises,
such as those recommended by the OWASP project [3], with special
consideration paid to the validation of input and output fields.

When providing example applications for use by developers, vendors
should uphold the strictest compliance with security best practises, as
it is common for such examples to be used as templates for real-world
projects. By providing flawed examples, vendors are perpetuating poor
development practise.

-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0624 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

-- References --

[1] http://www.bea.com
[2] http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/
    SA_BEA03_36.00.jsp
[3] http://www.owasp.org

-- Revision --

a. Initial release.
b. Included reference for vendor advisory.

-- Distribution --

This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.

-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.

Copyright 2003 Corsaire Limited. All rights reserved.

----------------------------------------------------------------------
CONFIDENTIALITY: This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited. If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER: Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF
Telephone: +44(0)1483-226000 Email:info@corsaire.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Tom Koehler: "Re:[Full-Disclosure] stcloader.exe / slmss.exe ??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]