Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12746
HistoryMay 20, 2006 - 12:00 a.m.

[SA20147] Sun ONE/Java System Web Server Cross-Site Scripting Vulnerability

2006-05-2000:00:00
vulners.com
8
JSON

TITLE:
Sun ONE/Java System Web Server Cross-Site Scripting Vulnerability

SECUNIA ADVISORY ID:
SA20147

VERIFY ADVISORY:
http://secunia.com/advisories/20147/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
>From remote

SOFTWARE:
Sun Java System Application Server (Sun ONE) 7.x
http://secunia.com/product/1534/
Sun Java System Web Server (Sun ONE/iPlanet) 6.x
http://secunia.com/product/92/

DESCRIPTION:
Keigo Yamazaki has reported a vulnerability in Sun ONE and Sun Java
System Web Server, which can be exploited by malicious people to
conduct cross-site scripting attacks.

Input containing a " (Double quote) character in the URL is not
properly sanitised before being returned to users in error pages.
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of a vulnerable site.

The vulnerability has been reported in the following versions:

  • Sun ONE Web Server 6.0 Service Pack 9 and earlier.
  • Sun Java System Web Server 6.1 Service Pack 4 and earlier.
  • Sun ONE Application Server 7 Platform Edition Update 6 and
    earlier.
  • Sun ONE Application Server 7 Standard Edition Update 6 and
    earlier.
  • Sun Java System Application Server 7 2004Q2 Standard Edition Update
    2 and earlier.
  • Sun Java System Application Server 7 2004Q2 Enterprise Edition
    Update 2 and earlier.

SOLUTION:
Apply Service Pack or updates.

Sun ONE Web Server 6.0:
Apply Service Pack 10 or later.
http://www.sun.com/download/products.xml?id=43a84f89

Sun Java System Web Server 6.1:
Apply Service Pack 5 or later.
http://www.sun.com/download/products.xml?id=434aec1d
(International version at
http://www.sun.com/download/products.xml?id=43c43041)

Sun ONE Application Server 7 Platform Edition:
Apply Update 7 or later.
http://www.sun.com/download/products.xml?id=42ae3178

Sun ONE Application Server 7 Standard Edition:
Apply Update 7 or later.
http://www.sun.com/download/products.xml?id=42ae317c

Sun Java System Application Server 7 2004Q2 Standard Edition:
Apply Update 3 or later.
http://www.sun.com/download/products.xml?id=427fe06d

Sun Java System Application Server 7 2004Q2 Enterprise Edition:
Apply Update 3 or later.
http://javashoplm.sun.com/ECom/docs/Welcome.jsp?StoreId=8&PartDetailId=SJAS72004Q2U3-EE-OTH-G-ES

PROVIDED AND/OR DISCOVERED BY:
Keigo Yamazaki, LAC

ORIGINAL ADVISORY:
Sun Microsystems:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102164-1

LAC:
http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/87_e.html

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

JSON