RE: ACROS Security: HTML Injection in BEA WebLogic Server Console (2)

From: ACROS Security (lists_at_acros.si)
Date: 05/27/05

  • Next message: Martin Schulze: "[SECURITY] [DSA 730-1] New bzip2 packages fix file unauthorised permissions modification"
    To: "'Will Schroeder'" <wschroed@schroedernet.net>
    Date: Fri, 27 May 2005 12:06:33 +0200
    
    

    Will,

    > To exploit this an admin user still needs to click on a link
    > to a URL right? or is the malicious javascript inserted into
    > the login page via http splitting?

    An attacker needs to either trick the admin to visit some web page, or
    modify the response of any web server the admin ever connects to (e.g.,
    Google). What's important is that he can do this any time _before_ the admin
    logs in to WebLogic console, not during an already active administration
    session. This makes the attack very easy, at least from my pen-testing
    perspective.

    Sorry for the delay in replying.

    Mitja Kolsek

    ACROS, d.o.o.
    Makedonska ulica 113
    SI - 2000 Maribor, Slovenia
    tel: +386 2 3000 280
    fax: +386 2 3000 282
    web: http://www.acrossecurity.com


  • Next message: Martin Schulze: "[SECURITY] [DSA 730-1] New bzip2 packages fix file unauthorised permissions modification"