漏洞信息详情
Bea WebLogic/Liquid Data多个跨站脚本执行漏洞
- CNNVD编号:CNNVD-200310-062
- 危害等级: 中危
![图片[1]-Bea WebLogic/Liquid Data多个跨站脚本执行漏洞-一一网](https://www.proyy.com/skycj/data/images/2021-05-16/30f462579bec41fc25e0b1d57503e6d6.png)
- CVE编号:
CVE-2003-0733
- 漏洞类型:
输入验证
- 发布时间:
2003-08-07
- 威胁类型:
远程
- 更新时间:
2005-10-20
- 厂 商:
bea - 漏洞来源:
BEA SECURITY ADVIS… -
漏洞简介
BEA Systems WebLogic包含多种应用系统集成方案,包括Server/Express/Integration和Liquid Data等。
BEA Systems多个产品包含跨站脚本执行问题,远程攻击者可以利用这个漏洞获得用于基于验证的COOKIE信息或进行其他攻击。
上述系统存在两个类型的XSS漏洞:
1、问题存在于Servlet container中,当浏览器发送转发指令时可产生此漏洞,静态URL如\” http://www.bea.com \”不能被利用,只要当一些类似如下的动态URL请求时会触发跨站脚本执行问题:
\”http://www.bea.com?username=\” + request.getParameter(\”user\”)
任意应用程序在转发过程汇总支持动态生成URL会包含此漏洞。
2、WebLogic Server控制台应用程序存在一系列漏洞。这些漏洞就针对一些拥有管理员权限的用户有威胁(如\”Admin\”, \”Monitor\”, \”Deployer\”,和\”Operator\”)。特权用户可以被诱骗点击URL而导致泄露敏感信息或者其他漏洞。
漏洞公告
厂商补丁:
BEA Systems
———–
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
BEA Systems WebLogic Integration 2.1:
BEA Systems Patch tempPatchCR105536_WLI21SP2.zip
ftp://ftpna.beasys.com/pub/releases/security/tempPatchCR105536_WLI21SP2.zip
WebLogic Integration 2.1 patch requires prerequisite patches for WebLogic 6.1 SP 2 or SP 3.
BEA Systems WebLogic Express 5.1 SP 13:
BEA Systems Patch CR105007_510sp13.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105007_510sp13.jar
Requires WebLogic 5.1 SP 13.
BEA Systems Weblogic Server 5.1 SP 13:
BEA Systems Patch CR105007_510sp13.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105007_510sp13.jar
Requires WebLogic 5.1 SP 13.
BEA Systems WebLogic Express for Win32 5.1 SP 13:
BEA Systems Patch CR105007_510sp13.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105007_510sp13.jar
Requires WebLogic 5.1 SP 13.
BEA Systems WebLogic Server for Win32 5.1 SP 13:
BEA Systems Patch CR105007_510sp13.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105007_510sp13.jar
Requires WebLogic 5.1 SP 13.
BEA Systems Weblogic Server 7.0 SP 3:
BEA Systems Patch CR105443_70sp3.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105443_70sp3.jar
Requires WebLogic 7.0 SP 3.
BEA Systems WebLogic Express 7.0 SP 3:
BEA Systems Patch CR105443_70sp3.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105443_70sp3.jar
Requires WebLogic 7.0 SP 3.
BEA Systems WebLogic Express for Win32 7.0 SP 3:
BEA Systems Patch CR105443_70sp3.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105443_70sp3.jar
Requires WebLogic 7.0 SP 3.
BEA Systems WebLogic Server for Win32 7.0 SP 3:
BEA Systems Patch CR105443_70sp3.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105443_70sp3.jar
Requires WebLogic 7.0 SP 3.
BEA Systems WebLogic Server for Win32 7.0 SP 2:
BEA Systems Patch CR105443_70sp2-v2.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105443_70sp2-v2.jar
Prerequisite for installing Liquid Data Rolling Patch 4 on BEA WebLogic 7.0 SP 2.
BEA Systems Patch CR105443_70sp2-v2.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105443_70sp2-v2.jar
Prerequisite patch for WebLogic 7.0 SP 2.
BEA Systems WebLogic Express for Win32 7.0 SP 2:
BEA Systems Patch CR105443_70sp2-v2.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105443_70sp2-v2.jar
Prerequisite for installing Liquid Data Rolling Patch 4 on BEA WebLogic 7.0 SP 2.
BEA Systems Patch CR105443_70sp2-v2.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105443_70sp2-v2.jar
Prerequisite patch for WebLogic 7.0 SP 2.
BEA Systems WebLogic Express 7.0 SP 2:
BEA Systems Patch CR105443_70sp2-v2.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105443_70sp2-v2.jar
Prerequisite for installing Liquid Data Rolling Patch 4 on BEA WebLogic 7.0 SP 2.
BEA Systems Patch CR105443_70sp2-v2.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105443_70sp2-v2.jar
Prerequisite patch for WebLogic 7.0 SP 2.
BEA Systems Weblogic Server 7.0 SP 2:
BEA Systems Patch CR105443_70sp2-v2.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105443_70sp2-v2.jar
Prerequisite for installing Liquid Data Rolling Patch 4 on BEA WebLogic 7.0 SP 2.
BEA Systems Patch CR105443_70sp2-v2.jar
ftp://ftpna.beasys.com/pub/releases/security/CR105443_70sp2-v2.jar
Prerequisite patch for WebLogic 7.0 SP 2.
BEA Systems WebLogic Integration 7.0:
BEA Systems Patch tempPatchCR103371_WLI70SP2.zip
ftp://ftpna.beasys.com/pub/releases/security/tempPatchCR103371_WLI70SP2.zip
WebLogic Integration 7.0 patch requires the prerequisite patch for WebLogic 7.0 SP 2.
参考网址
来源: BID
名称: 8357
链接:http://www.securityfocus.com/bid/8357
来源: dev2dev.bea.com
链接:http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/SA_BEA03_36.00.jsp
![[桜井宁宁]COS和泉纱雾超可爱写真福利集-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/4d3cf227a85d7e79f5d6b4efb6bde3e8.jpg)
![[桜井宁宁] 爆乳奶牛少女cos写真-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/d40483e126fcf567894e89c65eaca655.jpg)
