RE: ACROS Security: HTML Injection in BEA WebLogic Server Console (2)

To: "'Will Schroeder'" <wschroed@xxxxxxxxxxxxxxxx>
Subject: RE: ACROS Security: HTML Injection in BEA WebLogic Server Console (2)
From: "ACROS Security" <lists@xxxxxxxx>
Date: Fri, 27 May 2005 12:06:33 +0200
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>, <NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx>
In-reply-to: <429485F0.30109@xxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcVhM45i7Y2UaGZdRhixb1L1QRBKUwBb2TUg

Will,

> To exploit this an admin user still needs to click on a link 
> to a URL right? or is the malicious javascript inserted into 
> the login page via http splitting?

An attacker needs to either trick the admin to visit some web page, or
modify the response of any web server the admin ever connects to (e.g.,
Google). What's important is that he can do this any time _before_ the admin
logs in to WebLogic console, not during an already active administration
session. This makes the attack very easy, at least from my pen-testing
perspective.

Sorry for the delay in replying.

Mitja Kolsek

ACROS, d.o.o.
Makedonska ulica 113
SI - 2000 Maribor, Slovenia
tel: +386 2 3000 280
fax: +386 2 3000 282
web: http://www.acrossecurity.com

References:
- Re: ACROS Security: HTML Injection in BEA WebLogic Server Console (2)
  - From: Will Schroeder

Prev by Date: Re: [SECURITY] [DSA 729-1] New PHP4 packages fix denial of service
Next by Date: [SECURITY] [DSA 730-1] New bzip2 packages fix file unauthorised permissions modification
Previous by thread: Re: ACROS Security: HTML Injection in BEA WebLogic Server Console (2)
Next by thread: ACROS Security: HTML Injection in BEA WebLogic Server Console (1)
Index(es):
- Date
- Thread