+============================================================================================+ + Oracle Corporation BEA WebLogic Portal & high XSS Vulnerabilities + +============================================================================================+ Author(s): Ivan Sanchez Producto: --------- BEA Systems Inc http://www.bea.com Oracle Corporation BEA WebLogic Portal (and others) Nullcode,has reported a vulnerability in BEA WebLogic Portal Domains, which can be exploited by malicious people to conduct high cross-site scripting attacks. Input passed to the "q" parameter in this function "search_g4.js" isn't properly sanitised. This can be exploited to execute remotes arbitrary script in a user's browser. The vulnerability has been reported in all domains *Bea.com, all sites are using the same function." to search some things" So..Other versions and others products(BEA-Company) may also be affected. Google Dork: ----------- site:bea.com/ You can see hundreds of sites. Function vulnerable: -------------------- GET http://www.bea.com/content/search/search_g4.js HTTP/1.1 search_g4.js ("textbox search" ,insert for example): "> seconds.... Then redirect to other BEA application: --------------------------------------- Referer: http://see*.bea.com/search?q="> GET http://see*.bea.com/search?q=">&x=12&y=8&ie=latin1&site=all&output=xml_no_dtd&client=www&lr=lang_en&proxystylesheet=www&oe=latin1&filter=p&source=www HTTP/1.1 => HTTP/1.1 200 OK[1.922 s] seconds..... simply exploited.... Extract Internal code: 1-
2- you can see URL://"the QueryStrings" Solution: --------- Edit the source code to ensure that input is properly sanitised. NULL CODE SERVICES [ www.nullcode.com.ar ] Hunting Security Bugs! +============================================================================================+ +============================================================================================+ + Oracle Corporation BEA WebLogic Portal & high XSS Vulnerabilities + +============================================================================================+