=====[BEGIN-ACROS-REPORT]===== PUBLIC ========================================================================= ACROS Security Problem Report #2009-10-30-1 ------------------------------------------------------------------------- ASPR #2009-10-30-1: HTML Injection in Oracle WebLogic Server Console ========================================================================= Document ID: ASPR #2009-10-30-1-PUB Vendor: Oracle (http://www.oracle.com) Target: Oracle WebLogic Server 10.3 Impact: There is an HTML Injection vulnerability in WebLogic Server 10.3 Administration Console that allows the attacker to gain administrative access to the server. Severity: High Status: Official patch available, workarounds available Discovered by: Luka Treiber of ACROS Security Current version http://www.acrossecurity.com/aspr/ASPR-2009-10-30-1-PUB.txt Summary ======= There is an HTML Injection vulnerability in WebLogic Server 10.3 Administration Console that allows the attacker to gain administrative access to the server. It is possible to craft such URL that will, when requested from the server, return a document with arbitrarily chosen HTML injected. An obvious use for this type of vulnerability is cross-site scripting that can be used, among other things, for obtaining session cookies from WebLogic administrators. These cookies, when stolen, provide the attacker with administrative access to WebLogic Administration Console, compromising the security of the entire web server. This vulnerability is exploitable even if the Administration Console is only being accessed via HTTPS, and even if the Administrative Port is enabled. Product Coverage ================ - WebLogic Server 10.3 Note: Our tests were only performed on the above product version. Other versions may or may not be affected. Analysis ======== Some URL argument in the WebLogic Server 10.3 Administration Console is not properly sanitized against HTML injection, which allows the attacker to introduce additional, malicious HTML to the server's response. The most common type of HTML injection is injection of malicious client-side script, commonly known as cross-site scripting. In an actual attack the user would not be required to open URLs specified by the attacker. Instead, a malicious web page visited by the logged-in WebLogic administrator would mount the entire attack automatically and covertly. For instance, a tiny 0x0 pixel iframe could be used for loading the URL from the demonstration immediately upon administrator's visit to the malicious page, injecting the malicious script to the WebLogic server's response. This malicious script would then silently send these cookies to the attacker's server, where she could pick them up and use them for entering the administrator's session in the Administration Console. Mitigating Factors ================== - In order to execute the above attack, the attacker would need to make the administrator's browser visit a malicious web page while the administrator is logged into the Administration Console. This can be achieved using social engineering, network traffic modification or a combination of both. - If the attacker manages to obtain a valid ADMINCONSOLESESSION cookie (and optionally _WL_AUTHCOOKIE_ADMINCONSOLESESSION cookie), these will only be useful until the administrator logs out of the Administration Console. However, the attacker knowing that might rush to create a new administrative user in the console and use that user for WebLogic administration after the legitimate administrator has logged off. Solution ======== Oracle has issued a security bulletin [1] and published a patch which fixes this issue. Workaround ========== - The WebLogic Administration Console can be disabled, which would neutralize this vulnerability. References ========== [1] Oracle Critical Patch Update Advisory - October 2009 http://www.oracle.com/technology/deploy/security/critical-patch- updates/cpuoct2009.html Acknowledgments =============== We would like to acknowledge Oracle Corporation for professional handling of the identified vulnerability. Contact ======= ACROS d.o.o. Makedonska ulica 113 SI - 2000 Maribor e-mail: security@acrossecurity.com web: http://www.acrossecurity.com phone: +386 2 3000 280 fax: +386 2 3000 282 ACROS Security PGP Key http://www.acrossecurity.com/pgpkey.asc [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD] ACROS Security Advisories http://www.acrossecurity.com/advisories.htm ACROS Security Papers http://www.acrossecurity.com/papers.htm ASPR Notification and Publishing Policy http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm Disclaimer ========== The content of this report is purely informational and meant only for the purpose of education and protection. ACROS d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. All identifiers (hostnames, IP addresses, company names, individual names etc.) used in examples and demonstrations are used only for explanatory purposes and have no connection with any real host, company or individual. In no event should it be assumed that use of these names means specific hosts, companies or individuals are vulnerable to any attacks nor does it mean that they consent to being used in any vulnerability tests. The use of information in this report is entirely at user's risk. Revision History ================ October 30, 2009: Initial release Copyright ========= (c) 2009 ACROS d.o.o. Forwarding and publishing of this document is permitted providing the content between "[BEGIN-ACROS-REPORT]" and "[END-ACROS-REPORT]" marks remains unchanged. =====[END-ACROS-REPORT]=====