Digital Security Research Group [DSecRG] Advisory #DSECRG-09-031
Application: Oracle BEA Weblogic 10
Versions Affected: Oracle BEA Weblogic 10
Vendor URL: http://oracle.com Bugs: Linked XSS Vulnerability Exploits: YES Reported: 18.03.2009 Vendor response: 19.03.2009
Description: XSS in Search
Date of Public Advisory: 16.07.2009 Authors: Alexandr Polyakov Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
Luinked XSS Vulnerability found in Oracle BEA Weblogic Server version 10.3.
Vulnerabilities found in console-help.portal script of Weblogic Server.
Linked XSS found in /consolehelp/console-help.portal. Vulnerable parameter "searchQuery"
Information was published in CPU July 2009. All customers can download CPU petches following instructions from:
Oracle give a credits for Alexandr Polyakov from Digital Security Company in CPU July 2009.
Original Advisory http://dsecrg.com/pages/vul/show.php?id=131
Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
Contact: research [at] dsecrg [dot] com http://www.dsecrg.com
Polyakov Alexandr Chief Information Security Analyst