Vigil@nce: Oracle WebLogic Server, Cross Site Scripting of examples
January 2009 by Vigil@nce
When examples are installed, an attacker can use a Cross Site
Scripting of Oracle WebLogic Server.
– Gravity: 1/4
– Consequences: client access/rights
– Provenance: document
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: medium (2/3)
– Creation date: 16/01/2009
IMPACTED PRODUCTS
– Oracle WebLogic Server
DESCRIPTION OF THE VULNERABILITY
The administrator can install examples from the reviewService
module:
/reviewService/createArtist_service.jsp
/reviewService/addBooks_session_ejb21.jsp
/reviewService/addReview_service.jsp
/reviewService/addReview_session.jsp
However, these examples were not conceived to be installed in
production. They do not check received parameters before
displaying them.
When examples are installed, an attacker can therefore generate a
Cross Site Scripting.
CHARACTERISTICS
– Identifiers: DSECRG-09-002, VIGILANCE-VUL-8400
– Url: http://vigilance.fr/vulnerability/Oracle-WebLogic-Server-Cross-Site-Scripting-of-examples-8400