Vulnerability Note VU#114956

Sun ONE and Sun Java System Applications vulnerable to cross-site scripting via default error page

Original Release date: 10 Aug 2006 | Last revised: 15 Aug 2006

Overview

A cross-site scripting vulnerability in Sun ONE and Sun Java System Applications may allow an attacker to read or modify data in web pages and cookies.

Description

From Sun Alert Notification 102164:

    A Cross Site Scripting (XSS) vulnerability in various releases of the Sun Java System Web Server and Sun Java System Application Server may allow an unprivileged local or remote user to steal cookie information, hijack sessions, or cause a loss of data privacy between a client and the server.

Vulnerable web servers do not adequately validate the contents of the HTTP REFERER header before using the contents in the default error page.

Sun states that the following products can be affected:
  • Sun ONE Web Server 6.0 Service Pack 9 and earlier
  • Sun Java System Web Server 6.1 Service Pack 4 and earlier
  • Sun ONE Application Server 7 Platform Edition Update 6 and earlier
  • Sun ONE Application Server 7 Standard Edition Update 6 and earlier
  • Sun Java System Application Server 7 2004Q2 Standard Edition Update 2 and earlier
  • Sun Java System Application Server 7 2004Q2 Enterprise Edition Update 2 and earlier
Sun ONE Web Server is derived from Netscape Enterprise Server. Netscape Enterprise Server was also ported to Novell Netware. Netscape Enterprise Server, iPlanet Web Server, Novell NetWare Enterprise Web Server, and other web servers derived from Netscape Enterprise Server may be affected.

Impact

By convincing a user to visit a web page, an attacker could read or modify the contents of web pages on a vulnerable web server. The attacker could read sensitive information, steal cookies, or modify the contents of a web page.

Solution

Apply an update
Please see Sun Alert Notification 102164 for information about updated software.


Change default error page

Change the default error page to not include the contents of the REFERER header. Red Hat has kindly provided instructions for changing the default error page on Netscape Enterprise Server 6.0.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Red Hat, Inc.Affected08 Mar 200510 Aug 2006
Sun Microsystems, Inc.Affected08 Mar 200510 Aug 2006
Netscape Communications CorporationUnknown08 Mar 200510 Aug 2006
Novell, Inc.Unknown08 Mar 200510 Aug 2006
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to JPCERT/CC and IPA for reporting this vulnerability.

This document was written by Katie Washok and Art Manion.

Other Information

  • CVE IDs: CVE-2006-2501
  • Date Public: 08 Mar 2005
  • Date First Published: 10 Aug 2006
  • Date Last Updated: 15 Aug 2006
  • Severity Metric: 14.50
  • Document Revision: 32

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.