lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 16 Jul 2009 18:18:26 +0400
From: DSecRG <research@...crg.com>
To: bugtraq@...urityfocus.com, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: [DSECRG-09-031] Oracle BEA Weblogic 10.3 Linked ХSS vulnerability

Digital Security Research Group [DSecRG] Advisory       #DSECRG-09-031

http://dsecrg.com/pages/vul/show.php?id=131
  
Application:                    Oracle BEA Weblogic 10 
Versions Affected:              Oracle BEA Weblogic 10  
Vendor URL:                     http://oracle.com
Bugs:                           Linked XSS Vulnerability 
Exploits:                       YES
Reported:                       18.03.2009
Vendor response:                19.03.2009                 
Description:                    XSS in Search   
Date of Public Advisory:        16.07.2009
Authors:                        Alexandr Polyakov
                                Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)


Description
***********
Luinked XSS Vulnerability found in Oracle BEA Weblogic Server version 10.3.


Details
*******

Vulnerabilities found in console-help.portal script of Weblogic Server.

Linked XSS found in /consolehelp/console-help.portal. Vulnerable parameter "searchQuery"


Example
*******
http://testserver.com:7011//consolehelp/console-help.portal?_nfpb=true&_pageLabel=ConsoleHelpSearchPage&searchQuery="><script>alert('DSECRG')</script>


Fix Information
***************


Information was published in CPU July 2009.
All customers can download CPU petches following instructions from: 

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html 



Credits
*******
Oracle give a credits for Alexandr Polyakov from Digital Security Company in CPU July 2009.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html 

Original Advisory
http://dsecrg.com/pages/vul/show.php?id=131

About
*****
Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.


Contact:        research [at] dsecrg [dot] com
                http://www.dsecrg.com



Polyakov Alexandr
Chief Information Security Analyst
______________________

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ