Forum Stats

  • 3,840,086 Users
  • 2,262,564 Discussions
  • 7,901,146 Comments

Discussions

cross site scripting in weblogic workshop 8.1 sp4 using <netui select tags

We have an application running on weblogic portal 8.1 sp4.

The application uses <netui> tags to capture data from a form and populate the database.
recently we had run a scanning toll on it to identify the vulnerabilites in it.

What we found was that the <netui tags uses cookies to temporarily store data and this tool was able to manipulate the cookies and inject script in it.

below are samples of HTTPrequest and HTTPresponse send by the tool

HTTPRequest Snippet

portlet_1_1org.apache.struts.taglib.html.TOKEN=327b12f7867a3b700450e80de0eddb15&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.prefix%7dOldValue=true&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.prefix%7d=&portlet_1_1%7bpageFlow.bean.firstName%7d=12345&portlet_1_1%7bpageFlow.bean.lastName%7d=12345&portlet_1_1%7bpageFlow.bean.address1%7d=12345&portlet_1_1%7bpageFlow.bean.address2%7d=12345&portlet_1_1%7bpageFlow.bean.city%7d=12345&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.state%7dOldValue=true&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.state%7d=&portlet_1_1%7bpageFlow.bean.zip%7d=12345&portlet_1_1%7bpageFlow.bean.emailAddress%7d=12345&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.birthMonth%7dOldValue=true&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.birthMonth%7d=%22%3e%3csCrIpT%3ealert(51346)%3c%2fsCrIpT%3e&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.birthYear%7dOldValue=true&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.birthYear%7d=&portlet_1_1wlw-checkbox_group_key%3a%7bpageFlow.bean.privacy%7dOldValue=true&portlet_1_1wlw-checkbox_group_key%3a%7bpageFlow.bean.privacy%7d=optIn&portlet_1_1wlw-checkbox_group_key%3a%7bpageFlow.bean.privacy%7d=optOut

In the above you will ntice that an additionla value in being added in one of the drop down boxex and a script is being given as its value.

Due to the above custom cookie , the additonla value is geing printed in the page and thus is executed.

HTTPresponse snippet-

<input type="hidden" name="portlet_1_1wlw-select_key:{pageFlow.bean.birthMonth}OldValue" value="true"><select name="portlet_1_1wlw-select_key:{pageFlow.bean.birthMonth}" id="portlet_1_1wlw-select_key:{pageFlow.bean.birthMonth}"><option id="portlet_1_1birthYear_Element0" value="">Month</option><option id="portlet_1_1birthYear_Element1" value="1">January</option><option id="portlet_1_1birthYear_Element2" value="2">February</option><option id="portlet_1_1birthYear_Element3" value="3">March</option><option id="portlet_1_1birthYear_Element4" value="4">April</option><option id="portlet_1_1birthYear_Element5" value="5">May</option><option id="portlet_1_1birthYear_Element6" value="6">June</option><option id="portlet_1_1birthYear_Element7" value="7">July</option><option id="portlet_1_1birthYear_Element8" value="8">August</option><option id="portlet_1_1birthYear_Element9" value="9">September</option><option id="portlet_1_1birthYear_Element10" value="10">October</option><option id="portlet_1_1birthYear_Element11" value="11">November</option><option id="portlet_1_1birthYear_Element12" value="12">December</option><option id="portlet_1_1birthYear_Element13" value=""><sCrIpT>alert(51346)</sCrIpT>" selected>"><sCrIpT>alert(51346)</sCrIpT></option></select>
&nbsp;&nbsp;<input type="hidden" name="portlet_1_1wlw-select_key:{pageFlow.bean.birthYear}OldValue" value="true"><select name="portlet_1_1wlw-select_key:{pageFlow.bean.birthYear}"><option value="" selected>Year</option><option value="2008">2008</option><option value="2007">2007</option><option value="2006">2006</option><option value="2005">2005</option><option value="2004">2004</option><option value="2003">2003</option><option value="2002">2002</option><option value="2001">2001</option><option value="2000">2000</option><option value="1999">1999</option><option value="1998">1998</option><option value="1997">1997</option><option value="1996">1996</option><option value="1995">1995</option><option value="1994">1994</option><option value="1993">1993</option><option value="1992">1992</option><option value="1991">1991</option><option value="1990">1990</option><option value="1989">1989</option><option value="1988">1988</option><option value="1987">1987</option><option value="1986">1986</option><option value="1985">1985</option><option value="1984">1984</option><option value="1983">1983</option><option value="1982">1982</option><option value="1981">1981</option><option value="1980">1980</option><option value="1979">1979</option><option value="1978">1978</option><option value="1977">1977</option><option value="1976">1976</option><option value="1975">1975</option><option value="1974">1974</option><option value="1973">1973</option><option value="1972">1972</option><option value="1971">1971</option><option value="1970">1970</option><option value="1969">1969</option><option value="1968">1968</option><option value="1967">1967</option><option value="1966">1966</option><option value="1965">1965</option><option value="1964">1964</option><option value="1963">1963</option><option value="1962">1962</option><option value="1961

Any idea on how to rectify this.? is this a know issue?
This discussion has been closed.