Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22180
HistoryJul 16, 2009 - 12:00 a.m.

[DSECRG-09-031] Oracle BEA Weblogic 10.3 Linked ХSS vulnerability

2009-07-1600:00:00
vulners.com
51

Digital Security Research Group [DSecRG] Advisory #DSECRG-09-031

http://dsecrg.com/pages/vul/show.php?id=131

Application: Oracle BEA Weblogic 10
Versions Affected: Oracle BEA Weblogic 10
Vendor URL: http://oracle.com
Bugs: Linked XSS Vulnerability
Exploits: YES
Reported: 18.03.2009
Vendor response: 19.03.2009
Description: XSS in Search
Date of Public Advisory: 16.07.2009
Authors: Alexandr Polyakov
Digital Security Research Group [DSecRG] (research [at] dsec [dot]
ru)

Description


Luinked XSS Vulnerability found in Oracle BEA Weblogic Server version 10.3.

Details


Vulnerabilities found in console-help.portal script of Weblogic Server.

Linked XSS found in /consolehelp/console-help.portal. Vulnerable parameter "searchQuery"

Example


http://testserver.com:7011//consolehelp/console-help.portal?_nfpb=true&_pageLabel=ConsoleHelpSearchPage&searchQuery="><script>alert('DSECRG')</script>

Fix Information


Information was published in CPU July 2009.
All customers can download CPU petches following instructions from:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

Credits


Oracle give a credits for Alexandr Polyakov from Digital Security Company in CPU July 2009.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

Original Advisory
http://dsecrg.com/pages/vul/show.php?id=131

About


Digital Security is one of the leading IT security companies in CEMEA, providing information
security consulting, audit and penetration testing services, risk analysis and ISMS-related services
and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group
focuses on application and database security problems with vulnerability reports, advisories and
whitepapers posted regularly on our website.

Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com

Polyakov Alexandr
Chief Information Security Analyst