|
|
|
|
| |
| The aim of this document is to clearly define a vulnerability in the BEA WebLogic InteractiveQuery.jsp example application, as supplied by BEA Systems, Inc, that would allow an attacker to perform a Cross Site Scripting (XSS) attack. |
| |
Credit:
The information has been provided by Corsaire Security Advisory.
|
| |
Vulnerable systems:
* BEA WebLogic version 8.1 and prior
The BEA WebLogic InteractiveQuery.jsp example application can be passed HTML constructs within arguments. This makes it possible to achieve an XSS attack, potentially giving access to confidential information, such as session cookies etc.
Analysis:
The BEA WebLogic InteractiveQuery.jsp example application is a CGI application that demonstrates the use of arguments to query a database. One of the start-up arguments that it accepts is a name of a person. This argument does not appear to be tested for formatting and if an invalid value is passed to the application, the value is simply repeated back in a results page.
By using a carefully constructed value, mobile code such as JAVA, can be executed within the users context. This style of attack can be used to gain access to sensitive information, such as session cookies etc.
Proof of concept:
This proof of concept is known to work with a default BEA WebLogic example installation on a Windows platform. To make it work within different environments, you may need to alter the path used in the URL appropriately.
To replicate this issue, initiate a connection to the server that is hosting the WebLogic application, and then use the following URL.
http://host/examplesWebApp/InteractiveQuery.jsp?person=< script>alert('XSS')</script>
This should result in a new page, accompanied by a popup script dialog containing the message "XSS".
Recommendations:
Example applications should never be installed within a production environment.
Read and follow the advice contained within the BEA supplied advisory on dealing with XSS issues (http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/SA_BEA03_36.00.jsp).
The application should be reviewed in line with security best practices, such as those recommended by the OWASP project, with special consideration paid to the validation of input, and output fields.
When providing example applications for use by developers, vendors should uphold the strictest compliance with security best practices, as it is common for such examples to be used as templates for real-world projects. By providing flawed examples, vendors are perpetuating poor development practice.
|
|
|
|
|
|
|
|
|
|
