CERT home
vulnerabilities & fixesevaluations & practicesresearch & analysistraining & education
homesearchFAQsite indexcontact
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

Vulnerability Note VU#114956

Sun ONE and Sun Java System Applications vulnerable to cross-site scripting via default error page

Overview

A cross-site scripting vulnerability in Sun ONE and Sun Java System Applications may allow an attacker to read or modify data in web pages and cookies.

I. Description

From Sun Alert Notification 102164:

    A Cross Site Scripting (XSS) vulnerability in various releases of the Sun Java System Web Server and Sun Java System Application Server may allow an unprivileged local or remote user to steal cookie information, hijack sessions, or cause a loss of data privacy between a client and the server.

Vulnerable web servers do not adequately validate the contents of the HTTP REFERER header before using the contents in the default error page.

Sun states that the following products can be affected:
  • Sun ONE Web Server 6.0 Service Pack 9 and earlier
  • Sun Java System Web Server 6.1 Service Pack 4 and earlier
  • Sun ONE Application Server 7 Platform Edition Update 6 and earlier
  • Sun ONE Application Server 7 Standard Edition Update 6 and earlier
  • Sun Java System Application Server 7 2004Q2 Standard Edition Update 2 and earlier
  • Sun Java System Application Server 7 2004Q2 Enterprise Edition Update 2 and earlier
Sun ONE Web Server is derived from Netscape Enterprise Server. Netscape Enterprise Server was also ported to Novell Netware. Netscape Enterprise Server, iPlanet Web Server, Novell NetWare Enterprise Web Server, and other web servers derived from Netscape Enterprise Server may be affected.

II. Impact

By convincing a user to visit a web page, an attacker could read or modify the contents of web pages on a vulnerable web server. The attacker could read sensitive information, steal cookies, or modify the contents of a web page.

III. Solution

Apply an update

Please see Sun Alert Notification 102164 for information about updated software.

Change default error page

Change the default error page to not include the contents of the REFERER header. Red Hat has kindly provided instructions for changing the default error page on Netscape Enterprise Server 6.0.

Systems Affected

VendorStatusDate Updated
Netscape Communications CorporationUnknown10-Aug-2006
Novell, Inc.Unknown10-Aug-2006
Red Hat, Inc.Vulnerable10-Aug-2006
Sun Microsystems, Inc.Vulnerable10-Aug-2006

References


http://sunsolve.sun.com/search/document.do?assetkey=1-26-102164-1
http://jvn.jp/jp/JVN%2303D5EAA8/index.html
http://www.ipa.go.jp/security/vuln/documents/2006/JVN_03D5EAA8_SJSWebServer.html
http://www.cert.org/archive/pdf/cross_site_scripting.pdf
http://secunia.com/advisories/20147/
http://www.auscert.org.au/6341

Credit

Thanks to JPCERT/CC and IPA for reporting this vulnerability.

This document was written by Katie Washok and Art Manion.

Other Information

Date Public03/08/2005
Date First Published08/10/2006 11:53:57 AM
Date Last Updated08/15/2006
CERT Advisory 
CVE NameCVE-2006-2501
Metric14.50
Document Revision32

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Copyright 2006 Carnegie Mellon University