Vulnerabilities > CVE-2005-1743 - Remote vulnerability in BEA WebLogic Server and WebLogic Express

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
bea
oracle
nessus

Summary

BEA WebLogic Server and WebLogic Express 8.1 through Service Pack 3 and 7.0 through Service Pack 5 does not properly handle when a security provider throws an exception, which may cause WebLogic to use incorrect identity for the thread, or to fail to audit security exceptions.

Nessus

NASL familyWeb Servers
NASL idBEA_81SP4_MULT_VULNS.NASL
descriptionAccording to its banner, the remote host is running a version of BEA WebLogic Server or WebLogic Express that is prone to multiple vulnerabilities. These flaws could lead to buffer overflows, denial of service, unauthorized access, cross-site scripting attacks, and information disclosure.
last seen2020-06-01
modified2020-06-02
plugin id18365
published2005-05-24
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18365
titleBEA WebLogic <= 8.1 SP4 Multiple Vulnerabilities (XSS, DoS, ID, more)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description) {
  script_id(18365);
  script_version("1.26");

  script_cve_id("CVE-2005-1380", "CVE-2005-1742", "CVE-2005-1743", "CVE-2005-1744",
                "CVE-2005-1745", "CVE-2005-1746", "CVE-2005-1747", "CVE-2005-1748", "CVE-2005-1749");
  script_bugtraq_id(12548, 13400, 13717, 13793, 13794, 14632, 14657);

  script_name(english:"BEA WebLogic <= 8.1 SP4 Multiple Vulnerabilities (XSS, DoS, ID, more)");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by multiple flaws." );
 script_set_attribute(attribute:"description", value:
"According to its banner, the remote host is running a version of BEA
WebLogic Server or WebLogic Express that is prone to multiple
vulnerabilities.  These flaws could lead to buffer overflows, denial
of service, unauthorized access, cross-site scripting attacks, and
information disclosure." );
 script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070211133850/dev2dev.bea.com/pub/advisory/125" );
 script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20061017121059/http://dev2dev.bea.com/pub/advisory/126" );
 script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070211133831/http://dev2dev.bea.com:80/pub/advisory/127" );
 script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070211133900/http://dev2dev.bea.com:80/pub/advisory/128" );
 script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070211133820/http://dev2dev.bea.com:80/pub/advisory/129" );
 script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070404224518/dev2dev.bea.com/pub/advisory/130" );
 script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070427111447/http://dev2dev.bea.com:80/pub/advisory/132" );
 script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070211133652/http://dev2dev.bea.com:80/pub/advisory/135" );
 script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070207142547/http://dev2dev.bea.com:80/pub/advisory/137" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to the appropriate Service Pack as discussed in the vendor
advisories referenced above." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/24");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/04/25");
 script_cvs_date("Date: 2018/11/15 20:50:25");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  summary["english"] = "Checks for multiple vulnerabilities in BEA WebLogic <= 8.1 SP4";
  script_summary(english:summary["english"]);
 
  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);

# Check the version number in the banner.
banner = get_http_banner(port:port);
if (!banner || "WebLogic " >!< banner) exit(0);

pat = "^Server:.*WebLogic .*([0-9]+\.[0-9.]+) ";
matches = egrep(pattern:pat, string:banner);
if (matches) {
  foreach match (split(matches, keep:FALSE)) {
    ver = eregmatch(pattern:pat, string:match);
    if (!isnull(ver)) {
      # Extract the version and service pack numbers.
      nums = split(ver[1], sep:".", keep:FALSE);
      ver_maj = int(nums[0]);
      ver_min = int(nums[1]);

      sp = ereg_replace(
        string:match, 
        pattern:".* (Service Pack |SP)([0-9]+) .+",
        replace:"\2"
      );
      if (!sp) sp = 0;
      else sp = int(sp);

      # Check them against vulnerable versions listed in BEA's advisories.
      if (
        # version 6.x
        (
          ver_maj == 6 && 
          (
            ver_min < 1 ||
            (ver_min == 1 && sp <= 7)
          )
        ) ||

        # version 7.x
        (ver_maj == 7 && (ver_min == 0 && sp <= 6)) ||
  
        # version 8.x
        (
          ver_maj == 8 && 
          (
            ver_min < 1 ||
            (ver_min == 1 && sp <= 4)
          )
        )
      ) {
        security_hole(port);
	set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      }
      exit(0);
    }
  }
}