Red Hat, Inc. Information for VU#114956

Sun ONE and Sun Java System Applications vulnerable to cross-site scripting via default error page

Status

Affected

Vendor Statement

Vendor Statement: Red Hat, Inc.

Netscape Enterprise Server 6.0 is vulnerable to this issue. A work around
that completely blocks this issue is available below. Please note that
Netscape Enterprise Server 6.0 is discontinued and Red Hat will not be
releasing software updates for this issue.

Workaround: Set a default error message for "Not Found" that does not
include a link to the referring page. To configure such a message, follow
these steps:

- Log into admin server
- Select an instance to manage
- Select Class Manager in the upper-right
- Select the Content Management tab
- Select Error Responses link in left frame
- You need to define a Custom Error Response for Error code: Not found.
- Add the entire path to a file under File, or redirect the user
elsewhere. See the Help button for more information.
- Save, then Apply to restart the server

Alternatively, manually add an error response, such as the following, to
obj.conf:

Error fn="send-error" reason="Not Found"
path="/path/to/docs/errors/notfound.html"

The content that Netscape Enterprise Server would send without the
referring site is:

<HEAD><META HTTP-EQUIV=\"Content-Type\"
CONTENT=\"text/html;charset=ISO-8859-1\"><TITLE>Not Found</TITLE></HEAD>
<H1>Not Found</H1> The requested object does not exist on this server. The
link you followed is either outdated, inaccurate, or the server has
been instructed not to let you have it.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.