Network Security: Detailed info on RE: ACROS Security: HTML Injection in BEA WebLogic Server Console (2)

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Vuln-Dev

[Top] [All Lists]

RE: ACROS Security: HTML Injection in BEA WebLogic Server Console (2)

from [ACROS Security] Network Security

[Permanent Link]

Subject:	RE: ACROS Security: HTML Injection in BEA WebLogic Server Console (2)
Date:	Fri, 27 May 2005 12:06:33 +0200

Will,

To exploit this an admin user still needs to click on a link 
to a URL right? or is the malicious javascript inserted into 
the login page via http splitting?


An attacker needs to either trick the admin to visit some web page, or
modify the response of any web server the admin ever connects to (e.g.,
Google). What's important is that he can do this any time _before_ the admin
logs in to WebLogic console, not during an already active administration
session. This makes the attack very easy, at least from my pen-testing
perspective.

Sorry for the delay in replying.

Mitja Kolsek

ACROS, d.o.o.
Makedonska ulica 113
SI - 2000 Maribor, Slovenia
tel: +386 2 3000 280
fax: +386 2 3000 282
web: http://www.acrossecurity.com

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
ACROS Security: HTML Injection in BEA WebLogic Server Console (2), ACROS Security Re: ACROS Security: HTML Injection in BEA WebLogic Server Console (2), Will Schroeder RE: ACROS Security: HTML Injection in BEA WebLogic Server Console (2), ACROS Security <=

Previous by Date:	Re: [SECURITY] [DSA 729-1] New PHP4 packages fix denial of service, John GALLET
Next by Date:	Re: User32.dll Icon Size Crash, Daniel Souza
Previous by Thread:	Re: ACROS Security: HTML Injection in BEA WebLogic Server Console (2), Will Schroeder
Next by Thread:	ACROS Security: HTML Injection in BEA WebLogic Server Console (1), ACROS Security
Indexes:	[Date] [Thread] [Top] [All Lists]