ACROS Security wrote: > =====[BEGIN-ACROS-REPORT]===== > > PUBLIC > > ========================================================================= > ACROS Security Problem Report #2005-05-24-2 > ------------------------------------------------------------------------- > ASPR #2005-05-24-2: HTML Injection in BEA WebLogic Server Console (2) > ========================================================================= > > Document ID: ASPR #2005-05-24-2-PUB > Vendor: BEA Systems (http://www.bea.com) > Target: WebLogic Server and WebLogic Express, Service Pack 4 > Impact: An HTML injection vulnerability exists in WebLogic > Server Console, enabling attackers to hijack > administrative sessions using cross site scripting > Severity: High > Status: Official patch available, workarounds available > Discovered by: Mitja Kolsek of ACROS Security > > Current version > http://www.acrossecurity.com/aspr/ASPR-2005-05-24-2-PUB.txt > > > Summary > ======= > > There is a vulnerability in WebLogic Server Console login page that > allows the attacker to assume administrator's identity and thus gain > administrative access to Server Console. It is possible to inject > malicious JavaScript in the login page so that when administrator logs in, > his username and password are silently transmitted to attacker's web > server. > > > Product Coverage > ================ > > - WebLogic Server 8.1, Service Pack 4 - affected > - WebLogic Server 7.0, Service Pack 2 - not affected > - WebLogic Express 7.0, Service Pack 6 - affected > > Older versions are likely to be affected as well. > > > Analysis > ======== > > Cross site scripting is a very common problem with web-based applications. > Basically it is present whenever the server is willing to include user's > input data, which contains some client-side script (e.g. JavaScript), back > to the browser unsanitized, somewhere within the generated web page. This > script, when executed, has access to all information within and about the > received web page, including the cookies. > > The main differentiator of this particular vulnerability is that the > attacker need not trick the administrator into visiting a malicious web > site while being in an administrative session. Furthermore, in contrast to > other cross-site scripting vulnerabilities, this vulnerability allows the > attacker to also obtain administrator's username and password - and not > "only" his session identifier (ADMINCONSOLESESSION). > > > Solution > ======== > > BEA Systems has issued a security bulletin [1] and published a patch > which fixes this issue. > > > Workaround > ========== > > - Always close all browser instances/windows and delete all cookies before > logging in to WebLogic Server Console. > > > References > ========== > > [1] BEA Systems Security Advisory BEA05-80.00 > http://dev2dev.bea.com/pub/advisory/130 > > > Acknowledgments > =============== > > We would like to acknowledge Gordon Engel of BEA Systems for extremely > diligent and professional handling of the identified vulnerability. > > > Contact > ======= > > ACROS d.o.o. > Makedonska ulica 113 > SI - 2000 Maribor > > e-mail: security@xxxxxxxxxxxxxxxxx > web: http://www.acrossecurity.com > phone: +386 2 3000 280 > fax: +386 2 3000 282 > > ACROS Security PGP Key > http://www.acrossecurity.com/pgpkey.asc > [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD] > > ACROS Security Advisories > http://www.acrossecurity.com/advisories.htm > > ACROS Security Papers > http://www.acrossecurity.com/papers.htm > > ASPR Notification and Publishing Policy > http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm > > > Disclaimer > ========== > > The content of this report is purely informational and meant only for the > purpose of education and protection. ACROS d.o.o. shall in no event be > liable for any damage whatsoever, direct or implied, arising from use or > spread of this information. All identifiers (hostnames, IP addresses, > company names, individual names etc.) used in examples and demonstrations > are used only for explanatory purposes and have no connection with any > real host, company or individual. In no event should it be assumed that > use of these names means specific hosts, companies or individuals are > vulnerable to any attacks nor does it mean that they consent to being used > in any vulnerability tests. The use of information in this report is > entirely at user's risk. > > > Revision History > ================ > > May 24, 2005: Initial release > > > Copyright > ========= > > (c) 2005 ACROS d.o.o. Forwarding and publishing of this document is > permitted providing the content between "[BEGIN-ACROS-REPORT]" and > "[END-ACROS-REPORT]" marks remains unchanged. > > =====[END-ACROS-REPORT]===== To exploit this an admin user still needs to click on a link to a URL right? or is the malicious javascript inserted into the login page via http splitting?
