Lucene search
beaXSS.txt
Affects BEA WebLogic 8.1 SP4 and previous versions due to cross-site scripting in 'View Error Log' feature of Administration console. Severity to be evaluated by the customer. Alerted vendor on 06/08/2005, temporary test patch provided on 06/22/2005
Show more
`
I. DESCRIPTION
A cross-site scripting issue affects the display of error events in the
'View Error Log' feature of BEA WebLogic Administration console.
II. AFFECTED PRODUCTS
BEA WebLogic 8.1 SP4 and previous.
III. HOW TO VERIFY
1. Make a HTTP request containing XSS code to a target Web server
$ printf \
"GET /<script>alert(document.cookie)</script>GomoR HTTP/1.0\r\n\r\n" \
| nc www.example.com 80
2. Login into the Administration console
3. Go to the menu 'Network configurations/servers/myserser/'
4. Click on 'View server log'
5. Search for the string GomoR and click on the BEA-id event.
A JavaScript dialog box should appear.
IV. SEVERITY
I let each customer evaluate that within their own context.
V. DISCLOSURE TIMELINE
06/08/2005 Vendor alerted
06/08/2005 First vendor response
06/10/2005 Vendor confirmed the issue
06/22/2005 Vendor gave temporary test patch
08/15/2005 Vendor public advisory
08/23/2005 GomoR public advisory
VI. REFERENCES
BEA05-80.01
http://dev2dev.bea.com/pub/advisory/135
BEA WebLogic Server and WebLogic Express Multiple Remote Vulnerabilities
http://www.securityfocus.com/bid/13717
--
^ ___ ___ FreeBSD Network - http://www.GomoR.org/ <-+
| / __ |__/ Systems & Security Engineer |
| \__/ | \ ---[ zsh$ alias psed='perl -pe ' ]--- |
+--> Net::Packet <=> http://search.cpan.org/~gomor/ <--+
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo25 Aug 2005 00:00Current
7.4High risk
Vulners AI Score7.4