[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 599/03 - XSS vulnerability in BEA WebLogic example program



-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 599/03 dated 31.10.03  Time: 14:55
   UNIRAS is part of NISCC (National Infrastructure Security Co-ordination 
Centre)
- ---------------------------------------------------------------------------------- 

   UNIRAS material is also available from its website at www.uniras.gov.uk
   Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

UNIRAS comment
==============

A potential security problem exists in one of the code samples distributed
by the product vendor.  Developers should exercise care when basing their
work on such samples, and observe secure programming practices.  References
are supplied at the end of the Corsaire advisory.

Title
=====

Corsaire Security Advisory:

XSS vulnerability in BEA WebLogic example program

Detail
======

- -- Corsaire Security Advisory --

Title: BEA WebLogic example InteractiveQuery.jsp XSS issue
Date: 04.07.03
Application: BEA WebLogic 8.1 and prior
Environment: Various
Author: Martin O'Neal [martin.oneal@xxxxxxxxxxxx]
Audience: General distribution
Reference: c030704-008


- -- Scope --

The aim of this document is to clearly define a vulnerability in the BEA
WebLogic InteractiveQuery.jsp example application, as supplied by BEA
Systems, Inc [1], that would allow an attacker to perform a Cross Site
Scripting (XSS) attack.


- -- History --

Vendor notified: 04.07.03
Document released: 31.10.03


- -- Overview --

The BEA WebLogic InteractiveQuery.jsp example application can be passed
HTML constructs within arguments. This makes it possible to achieve an
XSS attack, potentially giving access to confidential information, such
as session cookies etc.


- -- Analysis --

The BEA WebLogic InteractiveQuery.jsp example application is a CGI
application that demonstrates the use of arguments to query a database.
One of the start-up arguments that it accepts is a name of a person.
This argument does not appear to be tested for formatting and if an
invalid value is passed to the application, the value is simply repeated
back in a results page.

By using a carefully constructed value, mobile code such as JAVA, can be
executed within the users context. This style of attack can be used to
gain access to sensitive information, such as session cookies etc.


- -- Proof of concept --

This proof of concept is known to work with a default BEA WebLogic
example installation on a Windows platform. To make it work within
different environments, you may need to alter the path used in the URL
appropriately.

To replicate this issue, initiate a connection to the server that is
hosting the WebLogic application, then use the following URL.

    http://host/examplesWebApp/InteractiveQuery.jsp?
    person=<script>alert('XSS')</script>

This should result in a new page, accompanied by a popup script dialog
containing the message "XSS".


- -- Recommendations --

Example applications should never be installed within a production
environment.

Read and follow the advice contained within the BEA supplied advisory on
dealing with XSS issues [2].

The application should be reviewed in line with security best practises,
such as those recommended by the OWASP project [3], with special
consideration paid to the validation of input and output fields.

When providing example applications for use by developers, vendors
should uphold the strictest compliance with security best practises, as
it is common for such examples to be used as templates for real-world
projects. By providing flawed examples, vendors are perpetuating poor
development practise.


- -- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0624 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


- -- References --

[1] http://www.bea.com
[2] http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/
     SA_BEA03_36.00.jsp
[3] http://www.owasp.org


- -- Revision --

a. Initial release.
b. Included reference for vendor advisory.


- -- Distribution --

This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.


- -- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


Copyright 2003 Corsaire Limited. All rights reserved.

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by
telephone.  Not Protectively Marked information may be sent via e-mail to
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Corsaire for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the 
vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical 
site
to ensure that you receive the most current information concerning that 
problem.

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams 
(FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQCVAwUBP6J334pao72zK539AQEjqgQAjLtwU1gOy+m7NqIbeGaYGKh1lLO8+sUl
rnGP4vHlV8uk/AlwcVwqTQ/QXXHsYvhTVyVXrK1nqofAWp6ro1Ast5TSSEYDHH0V
5BXa7yR2/Q8XSmWv5PdIP2VMSDW1wHlPjqUKOlMicbID5guxY31LEbnvxbs9bACg
Qtf1t/fRJuI=
=OWf7
-----END PGP SIGNATURE-----