Red Hat, Inc. Information for VU#114956
Sun ONE and Sun Java System Applications vulnerable to cross-site scripting via default error page
Vendor Statement: Red Hat, Inc.
Netscape Enterprise Server 6.0 is vulnerable to this issue. A work around
that completely blocks this issue is available below. Please note that
Netscape Enterprise Server 6.0 is discontinued and Red Hat will not be
releasing software updates for this issue.
Workaround: Set a default error message for "Not Found" that does not
include a link to the referring page. To configure such a message, follow
- Log into admin server
- Select an instance to manage
- Select Class Manager in the upper-right
- Select the Content Management tab
- Select Error Responses link in left frame
- You need to define a Custom Error Response for Error code: Not found.
- Add the entire path to a file under File, or redirect the user
elsewhere. See the Help button for more information.
- Save, then Apply to restart the server
Alternatively, manually add an error response, such as the following, to
Error fn="send-error" reason="Not Found"
The content that Netscape Enterprise Server would send without the
referring site is:
<H1>Not Found</H1> The requested object does not exist on this server. The
link you followed is either outdated, inaccurate, or the server has
been instructed not to let you have it.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.