CGI abuses : WebLogic Server Multiple Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 219043 Descripciones CVE y 99761 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.55385

Categoría: CGI abuses

Título: WebLogic Server Multiple Vulnerabilities

Resumen: NOSUMMARY

Descripción: Description:

The remote host, according to its banner, is running a
WebLogic Server vulnerable to multiple cross site
scripting attacks. Remote attackers can inject
arbitrary web script or HTML via the 'j_username' and
'j_password' parameters in the 'LoginForm.jsp' script,
as well as being able to manipulate error page parameters
in the Administration console and steal session cookies
from the Server Console.

Solution : Apply the latest service pack.
For 8.1, apply SP4 and then patch CR202495
For 7.0, apply SP6 and then patch CR214457
http://dev2dev.bea.com/pub/advisory/130

Risk factor : High

CVSS Score:
6.8

Referencia Cruzada: BugTraq ID: 13717
Common Vulnerability Exposure (CVE) ID: CVE-2005-1747
http://dev2dev.bea.com/pub/advisory/130
http://www.securityfocus.com/bid/13717
Bugtraq: 20050524 ACROS Security: HTML Injection in BEA WebLogic Server Console (1) (Google Search)
http://marc.info/?l=bugtraq&m=111695921212456&w=2
Bugtraq: 20050524 ACROS Security: HTML Injection in BEA WebLogic Server Console (2) (Google Search)
http://marc.info/?l=bugtraq&m=111695844803328&w=2
Bugtraq: 20050527 [AppSecInc Advisory BEA05-V0100] BEA WebLogic Administration Console error page cross-site scripting vulnerability (Google Search)
http://marc.info/?l=bugtraq&m=111722298705561&w=2
Bugtraq: 20050527 [AppSecInc Advisory BEA05-V0101] BEA WebLogic Administration Console login page cross-site scripting vulnerability (Google Search)
http://marc.info/?l=bugtraq&m=111722380313416&w=2
http://www.acrossecurity.com/aspr/ASPR-2005-05-24-1-PUB.txt
http://www.acrossecurity.com/aspr/ASPR-2005-05-24-2-PUB.txt
http://www.appsecinc.com/resources/alerts/general/BEA-001.html
http://www.appsecinc.com/resources/alerts/general/BEA-002.html
http://securitytracker.com/id?1014049
http://secunia.com/advisories/15486
http://www.vupen.com/english/advisories/2005/0607

Copyright Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

Esta es sólo una de 99761 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.55385
Categoría:	CGI abuses
Título:	WebLogic Server Multiple Vulnerabilities
Resumen:	NOSUMMARY
Descripción:	Description: The remote host, according to its banner, is running a WebLogic Server vulnerable to multiple cross site scripting attacks. Remote attackers can inject arbitrary web script or HTML via the 'j_username' and 'j_password' parameters in the 'LoginForm.jsp' script, as well as being able to manipulate error page parameters in the Administration console and steal session cookies from the Server Console. Solution : Apply the latest service pack. For 8.1, apply SP4 and then patch CR202495 For 7.0, apply SP6 and then patch CR214457 http://dev2dev.bea.com/pub/advisory/130 Risk factor : High CVSS Score: 6.8
Referencia Cruzada:	BugTraq ID: 13717 Common Vulnerability Exposure (CVE) ID: CVE-2005-1747 http://dev2dev.bea.com/pub/advisory/130 http://www.securityfocus.com/bid/13717 Bugtraq: 20050524 ACROS Security: HTML Injection in BEA WebLogic Server Console (1) (Google Search) http://marc.info/?l=bugtraq&m=111695921212456&w=2 Bugtraq: 20050524 ACROS Security: HTML Injection in BEA WebLogic Server Console (2) (Google Search) http://marc.info/?l=bugtraq&m=111695844803328&w=2 Bugtraq: 20050527 [AppSecInc Advisory BEA05-V0100] BEA WebLogic Administration Console error page cross-site scripting vulnerability (Google Search) http://marc.info/?l=bugtraq&m=111722298705561&w=2 Bugtraq: 20050527 [AppSecInc Advisory BEA05-V0101] BEA WebLogic Administration Console login page cross-site scripting vulnerability (Google Search) http://marc.info/?l=bugtraq&m=111722380313416&w=2 http://www.acrossecurity.com/aspr/ASPR-2005-05-24-1-PUB.txt http://www.acrossecurity.com/aspr/ASPR-2005-05-24-2-PUB.txt http://www.appsecinc.com/resources/alerts/general/BEA-001.html http://www.appsecinc.com/resources/alerts/general/BEA-002.html http://securitytracker.com/id?1014049 http://secunia.com/advisories/15486 http://www.vupen.com/english/advisories/2005/0607
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com