BEA WebLogic Server and Express, WebLogic Integration, and Liquid Data console application cross-site scripting
| weblogic-console-application-xss (12920) |  Medium Risk |
Description:
BEA WebLogic Server and Express, WebLogic Integration, and Liquid Data are vulnerable to cross-site scripting, caused by a vulnerability in the console application and/or some of the samples provided by BEA. A remote attacker could create a malicious URL link containing script, which would be executed in the administrator's Web browser within the security context of the hosting site, once a user with special administrative privileges clicks the link. An attacker could exploit this vulnerability to steal the administrator's cookie-based authentication credentials, obtain other sensitive information, or perform actions as the administrator.
Consequences:
Gain Access
Remedy:
For WebLogic Integration 7.0:
Apply the WebLogic Server patch to WebLogic Server 7.0 SP2 and apply the WebLogic Integration patch to WebLogic Integration 7.0 SP2 for this vulnerability, as listed in BEA Systems Inc. SECURITY ADVISORY (BEA03-36.01). See References.
For WebLogic Integration 2.1 running on WebLogic Server 6.1 Service Pack 3:
Apply the WebLogic Server patch to WebLogic Server 6.1 SP3 and apply the WebLogic Integration patch to WebLogic Integration 2.1 for this vulnerability, as listed in BEA Systems Inc. SECURITY ADVISORY (BEA03-36.01). See References.
For WebLogic Integration 2.1 running on WebLogic Server 6.1 Service Pack 2:
Apply the WebLogic Server patch to WebLogic Server 6.1 SP2 and apply the WebLogic Integration patch to WebLogic Integration 2.1 for this vulnerability, as listed in BEA Systems Inc. SECURITY ADVISORY (BEA03-36.01). See References.
For Liquid Data 1.1:
Apply the WebLogic Server patch to WebLogic Server 7.0 SP2 and upgrade to Liquid Data Rolling Patch 4 for this vulnerability, as listed in BEA Systems Inc. SECURITY ADVISORY (BEA03-36.01). See References.
For WebLogic Server 7.0:
Upgrade to Service Pack 3 and apply the patch for this vulnerability, as listed in BEA Systems Inc. SECURITY ADVISORY (BEA03-36.01). See References.
For WebLogic Server 6.1:
Upgrade to Service Pack 5 and apply the patch for this vulnerability, as listed in BEA Systems Inc. SECURITY ADVISORY (BEA03-36.01). See References.
For WebLogic Server 5.1:
Upgrade to Service Pack 13 and apply the patch for this vulnerability, as listed in BEA Systems Inc. SECURITY ADVISORY (BEA03-36.01). See References.
References:
- BEA Systems, Inc. Security Advisory (BEA03-36.01): Patches available to prevent multiple cross-site scripting (XSS) vulnerabilities. .
- BID-8357: Bea WebLogic/Liquid Data Multiple Cross-Site Scripting Vulnerabilities
- CVE-2003-0733: Multiple cross-site scripting (XSS) vulnerabilities in WebLogic Integration 7.0 and 2.0, Liquid Data 1.1, and WebLogic Server and Express 5.1 through 7.0, allow remote attackers to execute arbitrary web script and steal authentication credentials via (1) a forward instruction to the Servlet container or (2) other vulnerabilities in the WebLogic Server console application.
Platforms Affected:
- BEA Liquid Data 1.1
- BEA WebLogic Integration 2.1
- BEA WebLogic Integration 7.0
- Oracle WebLogic Server 5.1 Express
- Oracle WebLogic Server 5.1
- Oracle WebLogic Server 6.1 Express
- Oracle WebLogic Server 6.1
- Oracle WebLogic Server 7.0
- Oracle WebLogic Server 7.0 Express
Reported:
Aug 15, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net