WebLogic Console Help Interface XSS

July 24, 2009

Oracle WebLogic Server is a multi-tier Java Application Server platform. In a two and three-tier application architecture, a web server is used to receive forms or HTTP requests, then pass them to application servers, which perform actual processing. To reduce management complexity in large installations, WebLogic Servers are grouped into domains. There is a single Administration Server for each domain, which is itself an instance of a WebLogic Server. By default, the Administration Server is listening TCP port 7001.

The Administration Server is managed using the Administration Console. The Administration Console includes tools and Console Help interface. Administrators can use the Console Help interface to search documents on a desired topic. A typical search query looks like:

http://[hostname]:7001/consolehelp/console-help.portal?_nfpb=true&_pageLabel=ConsoleHelpSearchPage&searchQuery=[topic to search]

A cross-site scripting vulnerability exists in Oracle WebLogic Server. Specifically, the vulnerability is in the Administration Console Help interface. The vulnerable code does not properly validate the searchQuery value before using it in constructing the response page. By sending crafted searchQuery value to the Console Help interface, an attacker could inject arbitrary HTML or script code to the Administration Server. Such injected HTML or script code will then be sent by the server in its response to the client and will be executed in the security context of the client's browser.

Successful exploitation would allow the attacker to steal the target user's private information, such as the username, password and session cookie. The attacker may use the credential to grant full access to administrator's account and the underlying WebLogic Server.

The vulnerability has been assigned as CVE-2009-1975.

SonicWALL has released an IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 1185 XSS Oracle WebLogic Server console-help.portal XSS Attempt