Skip to Main Content
Forums

cross site scripting in weblogic workshop 8.1 sp4 using <netui select tags

650160Jul 15 2008
We have an application running on weblogic portal 8.1 sp4.

The application uses <netui> tags to capture data from a form and populate the database.
recently we had run a scanning toll on it to identify the vulnerabilites in it.

What we found was that the <netui tags uses cookies to temporarily store data and this tool was able to manipulate the cookies and inject script in it.

below are samples of HTTPrequest and HTTPresponse send by the tool

HTTPRequest Snippet

portlet_1_1org.apache.struts.taglib.html.TOKEN=327b12f7867a3b700450e80de0eddb15&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.prefix%7dOldValue=true&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.prefix%7d=&portlet_1_1%7bpageFlow.bean.firstName%7d=12345&portlet_1_1%7bpageFlow.bean.lastName%7d=12345&portlet_1_1%7bpageFlow.bean.address1%7d=12345&portlet_1_1%7bpageFlow.bean.address2%7d=12345&portlet_1_1%7bpageFlow.bean.city%7d=12345&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.state%7dOldValue=true&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.state%7d=&portlet_1_1%7bpageFlow.bean.zip%7d=12345&portlet_1_1%7bpageFlow.bean.emailAddress%7d=12345&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.birthMonth%7dOldValue=true&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.birthMonth%7d=%22%3e%3csCrIpT%3ealert(51346)%3c%2fsCrIpT%3e&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.birthYear%7dOldValue=true&portlet_1_1wlw-select_key%3a%7bpageFlow.bean.birthYear%7d=&portlet_1_1wlw-checkbox_group_key%3a%7bpageFlow.bean.privacy%7dOldValue=true&portlet_1_1wlw-checkbox_group_key%3a%7bpageFlow.bean.privacy%7d=optIn&portlet_1_1wlw-checkbox_group_key%3a%7bpageFlow.bean.privacy%7d=optOut

In the above you will ntice that an additionla value in being added in one of the drop down boxex and a script is being given as its value.

Due to the above custom cookie , the additonla value is geing printed in the page and thus is executed.

HTTPresponse snippet-

<input type="hidden" name="portlet_1_1wlw-select_key:{pageFlow.bean.birthMonth}OldValue" value="true"><select name="portlet_1_1wlw-select_key:{pageFlow.bean.birthMonth}" id="portlet_1_1wlw-select_key:{pageFlow.bean.birthMonth}"><option id="portlet_1_1birthYear_Element0" value="">Month</option><option id="portlet_1_1birthYear_Element1" value="1">January</option><option id="portlet_1_1birthYear_Element2" value="2">February</option><option id="portlet_1_1birthYear_Element3" value="3">March</option><option id="portlet_1_1birthYear_Element4" value="4">April</option><option id="portlet_1_1birthYear_Element5" value="5">May</option><option id="portlet_1_1birthYear_Element6" value="6">June</option><option id="portlet_1_1birthYear_Element7" value="7">July</option><option id="portlet_1_1birthYear_Element8" value="8">August</option><option id="portlet_1_1birthYear_Element9" value="9">September</option><option id="portlet_1_1birthYear_Element10" value="10">October</option><option id="portlet_1_1birthYear_Element11" value="11">November</option><option id="portlet_1_1birthYear_Element12" value="12">December</option><option id="portlet_1_1birthYear_Element13" value=""><sCrIpT>alert(51346)</sCrIpT>" selected>"><sCrIpT>alert(51346)</sCrIpT></option></select>
&nbsp;&nbsp;<input type="hidden" name="portlet_1_1wlw-select_key:{pageFlow.bean.birthYear}OldValue" value="true"><select name="portlet_1_1wlw-select_key:{pageFlow.bean.birthYear}"><option value="" selected>Year</option><option value="2008">2008</option><option value="2007">2007</option><option value="2006">2006</option><option value="2005">2005</option><option value="2004">2004</option><option value="2003">2003</option><option value="2002">2002</option><option value="2001">2001</option><option value="2000">2000</option><option value="1999">1999</option><option value="1998">1998</option><option value="1997">1997</option><option value="1996">1996</option><option value="1995">1995</option><option value="1994">1994</option><option value="1993">1993</option><option value="1992">1992</option><option value="1991">1991</option><option value="1990">1990</option><option value="1989">1989</option><option value="1988">1988</option><option value="1987">1987</option><option value="1986">1986</option><option value="1985">1985</option><option value="1984">1984</option><option value="1983">1983</option><option value="1982">1982</option><option value="1981">1981</option><option value="1980">1980</option><option value="1979">1979</option><option value="1978">1978</option><option value="1977">1977</option><option value="1976">1976</option><option value="1975">1975</option><option value="1974">1974</option><option value="1973">1973</option><option value="1972">1972</option><option value="1971">1971</option><option value="1970">1970</option><option value="1969">1969</option><option value="1968">1968</option><option value="1967">1967</option><option value="1966">1966</option><option value="1965">1965</option><option value="1964">1964</option><option value="1963">1963</option><option value="1962">1962</option><option value="1961

Any idea on how to rectify this.? is this a know issue?
Post Details
Locked due to inactivity on Aug 12 2008
Added on Jul 15 2008
#webcenter, #weblogic-portal
0 comments
412 views