=====[BEGIN-ACROS-REPORT]===== PUBLIC ========================================================================= ACROS Security Problem Report #2008-03-11-2 ------------------------------------------------------------------------- ASPR #2008-03-11-2: Session Fixation Vulnerability in WebLogic Administration Console ========================================================================= Document ID: ASPR #2008-03-11-2-PUB Vendor: BEA Systems (http://www.bea.com) Target: BEA WebLogic Server 10.0 Impact: There is a session fixation vulnerability [1] in Bea WebLogic 10.0 Administration Console that allows the attacker to assume administrator's identity and thus gain administrative access to console. Severity: High Status: Official patch available, workarounds available Discovered by: Mitja Kolsek of ACROS Security Current version http://www.acrossecurity.com/aspr/ASPR-2008-03-11-2-PUB.txt Summary ======= There is a session fixation vulnerability [1] in Bea WebLogic 10.0 Administration Console that allows the attacker to assume administrator's identity and thus gain administrative access to console. The session management used for setting up and maintaining administrative sessions allows the attacker to fix the administrative session cookie(s) in administrator's web browser and use this cookie to access the administration console after the administrator has logged into it. The vulnerability is exploitable even if the Administration Console is only accessed/accessible via HTTPS and even if Administrative Port is enabled. Product Coverage ================ - WebLogic Server 10.0 Notes: Our tests were only performed on the above product version. Other versions may or may not be affected. Analysis ======== During a recent security analysis of a WebLogic-based application for our customer we took a quick look at the WebLogic Administration Console, and found it to be vulnerable to a session fixation attack that also works through the Administrative Port. This attack, however, is dependent on two conditions: 1) The attacker must be (or obtain the identity of) a non-administrative WebLogic user; and 2) The WebLogic administrator must login to the Administration Console directly through the URL path /console/login/LoginForm.jsp (and not through /console or /console/, which are much more likely). If the attacker fixes authentication cookies on the administrator's browser (see [1] for various ways to do that), she effectively "hands over" her identity to the administrator. The administrator, having such cookies fixed, logs in to the Administration Console and doesn't get any new cookies from the Console. This means that his successful authentication results in overwriting the state of the session identified by the cookies such that this session becomes associated with the administrator (and no longer with the attacker's non-administrative user). The final result is that the administrator who has just logged in to the Administration Console is using the exact same cookies as the attacker, therefore the attacker automatically gains access to the administrator's session - and obtains administrator's identity. Solution ======== BEA Systems has issued a security bulletin [2] and published a patch which fixes this issue. Workaround ========== WebLogic administrators can manually delete all cookies in their browsers before logging in to the Administration Console. References ========== [1] ACROS Security, "Session Fixation Vulnerability in Web-based Applications" http://www.acrossecurity.com/papers/session_fixation.pdf [2] BEA Systems Security Advisory BEA08-196.00 http://dev2dev.bea.com/pub/advisory/270 Acknowledgments =============== We would like to acknowledge Gordon Engel and Neil Smithline of BEA Systems for professional handling of the identified vulnerability. Contact ======= ACROS d.o.o. Makedonska ulica 113 SI - 2000 Maribor e-mail: security@acrossecurity.com web: http://www.acrossecurity.com phone: +386 2 3000 280 fax: +386 2 3000 282 ACROS Security PGP Key http://www.acrossecurity.com/pgpkey.asc [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD] ACROS Security Advisories http://www.acrossecurity.com/advisories.htm ACROS Security Papers http://www.acrossecurity.com/papers.htm ASPR Notification and Publishing Policy http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm Disclaimer ========== The content of this report is purely informational and meant only for the purpose of education and protection. ACROS d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. All identifiers (hostnames, IP addresses, company names, individual names etc.) used in examples and demonstrations are used only for explanatory purposes and have no connection with any real host, company or individual. In no event should it be assumed that use of these names means specific hosts, companies or individuals are vulnerable to any attacks nor does it mean that they consent to being used in any vulnerability tests. The use of information in this report is entirely at user's risk. Revision History ================ March 11, 2008: Initial release Copyright ========= (c) 2008 ACROS d.o.o. Forwarding and publishing of this document is permitted providing the content between "[BEGIN-ACROS-REPORT]" and "[END-ACROS-REPORT]" marks remains unchanged. =====[END-ACROS-REPORT]=====