Note: This is an archival copy of Security Sun Alert 200314 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000238.1.
Article ID : 1000238.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Cross Site Scripting Vulnerability in Sun Java System Application Server



Category
Security

Release Phase
Resolved

Bug Id
6181948

Date of Resolved Release
01-MAR-2005

Impact

Due to this cross-site scripting vulnerability, users may unintentionally execute scripts in their browser written by a remote unprivileged user if they follow untrusted links/URIs in web pages, mail messages, or newsgroup postings. By following these untrusted links/URIs, the remote attacker may be able to execute commands with the privileges of the user who accessed the link/URI.

Sun acknowledges with thanks, Eric Hobbs from MagnaWare, for bringing this issue to our attention.

Additional information about cross-site scripting and web script vulnerabilities can be found at the following URLs:

http://www.cert.org/archive/pdf/cross_site_scripting.pdf

http://www.cert.org/tech_tips/malicious_code_FAQ.html

http://www.cert.org/advisories/CA-2000-02.html


Contributing Factors

This issue can occur in the following releases for all platforms:

  • Sun Java System Application Server Standard Edition 7 Update Release 5 or earlier
  • Sun Java System Application Server Platform Edition 7 Update Release 5 or earlier
  • Sun Java System Application Server 7 2004Q2 Standard Edition Update Release 1 or earlier
  • Sun Java System Application Server 7 2004Q2 Enterprise Edition Update Release 1 or earlier

Note: Sun Java System Application Server 8 2005Q1 and Sun Java System Application Server 8 (Platform Edition) are not affected.


Symptoms

There are no reliable symptoms that would indicate the described issue has been exploited.


Workaround

There is no workaround. Please see the "Resolution" section below.


Resolution

This issue is addressed in the following releases:

  • Sun Java System Application Server 7 Standard Edition Update 6 and later
  • Sun Java System Application Server 7 Platform Edition Update 6 and later
  • Sun Java System Application Server 7 2004Q2 Standard Edition Update 2 and later
  • Sun Java System Application Server 7 2004Q2 Enterprise Edition Update 2 and later

Sun Java System Application Server 7 Standard Edition, Update 6 is available for download at http://www.sun.com/download/products.xml?id=41c239a4

Sun Java System Application Server 7 Platform Edition, Update 6 is available for download at http://www.sun.com/download/products.xml?id=41c374e2

Sun Java System Application Server 7 2004Q2 Standard Edition, Update 2 is available for download at http://www.sun.com/download/products.xml?id=41e32dfb

For the Sun Java System Application Server 7 2004Q2 Enterprise Edition, Update 2, please see the Sun Online Support Center at https://osc-amer.sun.com/OSCSW/svcportal?pageName=clselection



Modification History

Product
Sun Java System Application Server Platform Edition 8

























Attachments
This solution has no attachment