Vulnerabilities > CVE-2005-1747 - Remote vulnerability in BEA WebLogic Server and WebLogic Express

CVSS 6.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

bea

oracle

nessus

NVD

Published: 2005-05-24

Updated: 2018-10-30

Summary

Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Server and Express 8.1 through Service Pack 4, and 7.0 through Service Pack 6, allow remote attackers to inject arbitrary web script or HTML, and possibly gain administrative privileges, via the (1) j_username or (2) j_password parameters in the login page (LoginForm.jsp), (3) parameters to the error page in the Administration Console, (4) unknown vectors in the Server Console while the administrator has an active session to obtain the ADMINCONSOLESESSION cookie, or (5) an alternate vector in the Server Console that does not require an active session but also leaks the username and password.

Vulnerable Configurations

Part	Description	Count
Application	Bea BEA Weblogic Server 6.0 BEA Weblogic Server 6.1 BEA Weblogic Server 7.0 BEA Weblogic Server 7.0.0.1 BEA Weblogic Server 8.1	75
Application	Oracle Oracle Weblogic Portal 8.0	1

Nessus

NASL family	Web Servers
NASL id	BEA_81SP4_MULT_VULNS.NASL
description	According to its banner, the remote host is running a version of BEA WebLogic Server or WebLogic Express that is prone to multiple vulnerabilities. These flaws could lead to buffer overflows, denial of service, unauthorized access, cross-site scripting attacks, and information disclosure.
last seen	2020-06-01
modified	2020-06-02
plugin id	18365
published	2005-05-24
reporter	This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/18365
title	BEA WebLogic <= 8.1 SP4 Multiple Vulnerabilities (XSS, DoS, ID, more)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(18365); script_version("1.26"); script_cve_id("CVE-2005-1380", "CVE-2005-1742", "CVE-2005-1743", "CVE-2005-1744", "CVE-2005-1745", "CVE-2005-1746", "CVE-2005-1747", "CVE-2005-1748", "CVE-2005-1749"); script_bugtraq_id(12548, 13400, 13717, 13793, 13794, 14632, 14657); script_name(english:"BEA WebLogic <= 8.1 SP4 Multiple Vulnerabilities (XSS, DoS, ID, more)"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by multiple flaws." ); script_set_attribute(attribute:"description", value: "According to its banner, the remote host is running a version of BEA WebLogic Server or WebLogic Express that is prone to multiple vulnerabilities. These flaws could lead to buffer overflows, denial of service, unauthorized access, cross-site scripting attacks, and information disclosure." ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070211133850/dev2dev.bea.com/pub/advisory/125" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20061017121059/http://dev2dev.bea.com/pub/advisory/126" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070211133831/http://dev2dev.bea.com:80/pub/advisory/127" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070211133900/http://dev2dev.bea.com:80/pub/advisory/128" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070211133820/http://dev2dev.bea.com:80/pub/advisory/129" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070404224518/dev2dev.bea.com/pub/advisory/130" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070427111447/http://dev2dev.bea.com:80/pub/advisory/132" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070211133652/http://dev2dev.bea.com:80/pub/advisory/135" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20070207142547/http://dev2dev.bea.com:80/pub/advisory/137" ); script_set_attribute(attribute:"solution", value: "Upgrade to the appropriate Service Pack as discussed in the vendor advisories referenced above." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/24"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/04/25"); script_cvs_date("Date: 2018/11/15 20:50:25"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); summary["english"] = "Checks for multiple vulnerabilities in BEA WebLogic <= 8.1 SP4"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("http_version.nasl"); script_require_ports("Services/www", 80); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); # Check the version number in the banner. banner = get_http_banner(port:port); if (!banner \|\| "WebLogic " >!< banner) exit(0); pat = "^Server:.WebLogic .([0-9]+\.[0-9.]+) "; matches = egrep(pattern:pat, string:banner); if (matches) { foreach match (split(matches, keep:FALSE)) { ver = eregmatch(pattern:pat, string:match); if (!isnull(ver)) { # Extract the version and service pack numbers. nums = split(ver[1], sep:".", keep:FALSE); ver_maj = int(nums[0]); ver_min = int(nums[1]); sp = ereg_replace( string:match, pattern:".* (Service Pack \|SP)([0-9]+) .+", replace:"\2" ); if (!sp) sp = 0; else sp = int(sp); # Check them against vulnerable versions listed in BEA's advisories. if ( # version 6.x ( ver_maj == 6 && ( ver_min < 1 \|\| (ver_min == 1 && sp <= 7) ) ) \|\| # version 7.x (ver_maj == 7 && (ver_min == 0 && sp <= 6)) \|\| # version 8.x ( ver_maj == 8 && ( ver_min < 1 \|\| (ver_min == 1 && sp <= 4) ) ) ) { security_hole(port); set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); } exit(0); } } }

Summary

Vulnerable Configurations

Nessus

References