|
Note: This is an archival copy of Security Sun Alert 200806 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000610.1. |
Category Security Release Phase Resolved 4838909, 4773335, 4840324, 4733798 Date of Workaround Release 03-JUN-2003 Date of Resolved Release 19-DEC-2003 Impact SPI Labs have reported the following issues with Sun ONE Application Server. 1. JSP Source code Disclosure
2. Log evasion
3. Cross-site scripting
4. Statefile permissions on Windows
These issues are described in the SPI Security Advisory located at: http://www.securityfocus.com/archive/1/322946/2003-05-25/2003-05-31/0 Contributing Factors These issues can occur in the following releases:
For supported architectures and OS versions see: Standard Edition: http://wwws.sun.com/software/download/products/3ec3e772.htm Platform Edition: http://wwws.sun.com/software/download/products/3ec1008e.htm Symptoms Log evasion The following error message may be found in the server log: WARNING: HTTP4198: flex log buffer overflow- greater than 4096 character Workaround The following are workarounds for the cross-site scripting and the statefile permission issues: 1. Cross-site scripting Un-deploy webapp-simple.ear if it is deployed. The deployed application will be in the following directory: $AS_DEF_DOMAINS_PATH/domains/<instancename>/applications/j2ee-modules/webapps-simple_1 The admin GUI will also show the deployed applications. Note: Both AS_INSTALL and AS_DEF_DOMAINS_PATH are defined in the asenv.conf file 2. Statefile permissions on Windows When installing the SunONE Application Server on Windows, the default installation directory is "C:\sun" Any file or directory created in this directory will be world-readable. The "statefile" located at "C:\sun\appserver7\statefile" contains a plain text username and password to the administrative server. After installation, the administrator can change the permission of this file for use to "administrator only" or delete this file since it's main purpose is for silent installation using this file on multiple machines. Resolution The cross-site scripting issue has been addressed with Sun ONE Application Server 7.0 Update Release 1 or later. It is available for download at: Standard Edition: http://wwws.sun.com/software/download/app_servers.html Platform Edition: http://wwws.sun.com/software/download/app_servers.html The logging and JSP source code issues has been addressed with SunONE Application Server 7.0 Update release 2 or later. It is available for download at: http://wwws.sun.com/software/download/app_servers.html Note: Administrators installing the Sun ONE Application Server on Windows should either change the permission of the statefile or delete the file. There will not be a code fix for this issue. The recommendation to change permissions or delete the statefile will be documented in the release notes of Update 2. Modification History Date: 19-DEC-2003
Product Sun ONE Application Server 7, Platform Edition Sun ONE Application Server 7, Standard Edition Attachments This solution has no attachment | |||||||||||||||
|
|