WebLogic Server, WebLogic Express, WebLogic Integration and WebLogic Liquid Data allow remote users to conduct Cross Site Scripting (XSS) attacks in sample and possibly custom applications. An attacker could exploit this vulnerability to steal the administrator's cookie-based authentication credentials, obtain other sensitive information, or perform actions as the administrator.
Classification
Location:
Remote/Network Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Integrity
OSVDB:
Web Related
Technical
A vulnerability in the Servlet container that can be exploited when the browser is being sent a forward instruction. Static URLs such as http://www.bea.com are not exploitable when being forwarded to. The exploit only occurs when there are dynamic URLs such as
BEA strongly suggests that customers apply the remedies recommended in all our security advisories. BEA also urges customers to apply every Service Pack as they are released. Service Packs include a roll-up of all bug fixes for each version of the product, as well as each of the prior Service Packs.
For WebLogic Integration 7.0 Apply the WebLogic Server patch to WebLogic Server 7.0 SP2 ftp://ftpna.beasys.com/pub/releases/security/CR105443_70sp2-v2.jar and apply the WebLogic Integration patch to WebLogic Integration 7.0 SP2 ftp://ftpna.beasys.com/pub/releases/security/tempPatchCR103371_WLI70SP2.zip
When Service Pack 4 is available for WebLogic Integration and WebLogic Server, you can use that Service Pack instead of Service Pack 2 and these patches.
For WebLogic Integration 2.1 running on WebLogic Server 6.1 Service Pack 3 Apply the WebLogic Server patch to WebLogic Server 6.1 SP3 ftp://ftpna.beasys.com/pub/releases/security/CR105443_610sp3.jar and apply the WebLogic Integration patch to WebLogic Integration 2.1 ftp://ftpna.beasys.com/pub/releases/security/tempPatchCR105536_WLI21SP2.zip
For WebLogic Integration 2.1 running on WebLogic Server 6.1 Service Pack 2 Apply the WebLogic Server patch to WebLogic Server 6.1 SP2 ftp://ftpna.beasys.com/pub/releases/security/CR105443_610sp2.jar and apply the WebLogic Integration patch to WebLogic Integration 2.1 ftp://ftpna.beasys.com/pub/releases/security/tempPatchCR105536_WLI21SP2.zip
For Liquid Data 1.1 Apply the WebLogic Server patch to WebLogic Server 7.0 SP2 ftp://ftpna.beasys.com/pub/releases/security/CR105443_70sp2-v2.jar and upgrade to Liquid Data Rolling Patch 4.
For WebLogic Server 7.0 Upgrade to Service Pack 3 and apply the patch ftp://ftpna.beasys.com/pub/releases/security/CR105443_70sp3.jar When Service Pack 4 is available, you can use that Service Pack instead of Service Pack 3 and this patch.
For WebLogic Server 6.1 Upgrade to Service Pack 5 and apply the patch ftp://ftpna.beasys.com/pub/releases/security/CR105443_610sp5.jar When Service Pack 6 is available, you can use that Service Pack instead of Service Pack 5 and this patch.
For WebLogic Server 5.1 Upgrade to Service Pack 13 and apply the patch ftp://ftpna.beasys.com/pub/releases/security/CR105007_510sp13.jar
