Bugtraq mailing list archives
RE: ACROS Security: HTML Injection in BEA WebLogic Server Console (2)
From: "ACROS Security" <lists () acros si>
Date: Fri, 27 May 2005 12:06:33 +0200
Will,
To exploit this an admin user still needs to click on a link to a URL right? or is the malicious javascript inserted into the login page via http splitting?
An attacker needs to either trick the admin to visit some web page, or modify the response of any web server the admin ever connects to (e.g., Google). What's important is that he can do this any time _before_ the admin logs in to WebLogic console, not during an already active administration session. This makes the attack very easy, at least from my pen-testing perspective. Sorry for the delay in replying. Mitja Kolsek ACROS, d.o.o. Makedonska ulica 113 SI - 2000 Maribor, Slovenia tel: +386 2 3000 280 fax: +386 2 3000 282 web: http://www.acrossecurity.com
Current thread:
- ACROS Security: HTML Injection in BEA WebLogic Server Console (2) ACROS Security (May 24)
- Re: ACROS Security: HTML Injection in BEA WebLogic Server Console (2) Will Schroeder (May 26)
- RE: ACROS Security: HTML Injection in BEA WebLogic Server Console (2) ACROS Security (May 27)
- Re: ACROS Security: HTML Injection in BEA WebLogic Server Console (2) Will Schroeder (May 26)