Services Vulnerabilities Exploits Publications News Blog About DSecRG

[DSECRG-09-031] Oracle BEA Weblogic - Linked ŐSS vulnerability A linked XSS Vulnerability was found in Oracle BEA Weblogic Server version 10.3. Application: Oracle BEA Weblogic 10 Versions Affected: Oracle BEA Weblogic 10 Vendor URL: http://oracle.com Bugs: Linked XSS Vulnerability Exploits: YES Reported: 18.03.2009 Vendor response: 19.03.2009 Description: XSS in Search Date of Public Advisory: 16.07.2009 Authors: Alexandr Polyakov Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) Details ******* A vulnerability was found in console-help.portal script of Weblogic Server. A linked XSS vulnerability was found in /consolehelp/console-help.portal. Vulnerable parameter -"searchQuery" Example ******* http://testserver.com:7011//consolehelp/console-help.portal?_nfpb=true&_pageLabel=ConsoleHelpSearchPage&searchQuery="><script>alert('DSECRG')</script> Fix Information *************** Information was published in CPU July 2009. All customers can download CPU patches following instructions from: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html Credits ******* Oracle is grateful to Alexandr Polyakov from Digital Security Company in CPU July 2009. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html About ***** Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com

Vulnerabilities RSS 23.07.2010 [DSECRG-09-068] SAP NetWaver SLD - Multiple XSS 23.07.2010 [DSECRG-09-040] SAP Netweaver wsnavigator - XSS Security Vulnerability 05.07.2010 [DSECRG-09-054] IBM Bladecenter Management - Multiple vulnerabilities 14.05.2010 [DSECRG-09-058] Vmware View - XSS vulnerability 15.04.2010 [DSECRG-09-049] IBM BladeCenter Management Module - DoS vulnerability 12.04.2010 [DSECRG-09-053] VMware Remote Console - format string vulnerability Vulnerabilities list

		© 2002—2010, Digital Security For quoting or using materials from this site link is obligatory +7 (812) 703-1547, +7 (812) 430-9130    e-mail: research@dsecrg.com Rss: Vulnerabilities, Exploits, News, Publications, Summary Search