Oracle WebLogic SSRF And XSS

基本字段

漏洞编号：: SSV-89312

披露/发现时间：: 2013-01-12

提交时间：: 2015-09-06

漏洞等级：

漏洞类别：: 跨站脚本

影响组件：: Oracle WebLogic Server
(=10.0.2, 10.3.6)

漏洞作者：: 未知

提交者：: qingxp9

CVE-ID：: CVE-2014-4241, CVE-2014-4210, CVE-2014-4242

CNNVD-ID：: CNNVD-201407-437

CNVD-ID：: CNVD-2014-04427

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 qingxp9 共获得 3.3KB

CVE-2014-4210 Server Side Request Forgery in SearchPublicRegistries.jspAffected Software: Oracle Fusion Middleware 10.0.2, 10.3.6Oracle WebLogic web server is often both (a) externally accessible; and (b) permitted to invoke connections to internal hosts. The SearchPublicRegistries.jsp page can be abused by unauthenticated attackers to cause the WebLogic web server to connect to an arbitrary TCP port of an arbitrary host. Responses returned are fairly verbose and can be used to infer whether a service is listening on the port specified.Below is an example request to an internal host which is not listening on TCP port 23:<pre>https://[vulnerablehost]/uddiexplorer/SearchPublicRegistries.jsp?operator=http://10.0.0.4:23&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search</pre>Response snippet:<pre>weblogic.uddi.client.structures.exception.XML_SoapException: Connection refused</pre>Below is an example request to a host which is listening on TCP port 22:<pre>https://[vulnerablehost]/uddiexplorer/SearchPublicRegistries.jsp?operator=http://10.0.0.4:22&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search</pre>Response snippet:<pre>weblogic.uddi.client.structures.exception.XML_SoapException: Received a response from url: http://10.0.0.4:22 which did not have a valid SOAP content-type: unknown/unknown.</pre>It is possible to abuse this functionality to discover and port scan any host that the WebLogic server can access. In the event that a discovered service returns a valid SOAP response, it may be possible to view the contents of the response.SSRF vulnerabilities offer a world of possibilities – for example, this could be used to scan for services and resources present on the WebLogic server’s loopback interface, to port scan hosts adjacent to the WebLogic server, or to profile outgoing firewall rules (e.g. port scan an external attacker-controlled server to see which outgoing connections are permitted).