Note: This is an archival copy of Security Sun Alert 201009 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000761.1.
Article ID : 1000761.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Vulnerability In Sample Application Included With Sun Java System Web Server


Release Phase

Bug Id

Date of Resolved Release


The sample application "webapps-simple" included with Sun Java System Web Server 6.1 (formerly Sun ONE Web Server 6.1), may be vulnerable to cross-site scripting attacks.

Due to this cross-site scripting vulnerability, users may unintentionally execute scripts in their browser written by a remote unprivileged user if they follow untrusted links/URIs in web pages, mail messages, or newsgroup postings. By following these untrusted links/URIs, the remote attacker may be able to execute commands with the privileges of the user who accessed the link/URI.

This issue is described in the SPI Security Advisory located at

In addition, see the following URLs for details about cross-site scripting and web script vulnerabilities:

Contributing Factors

This issue can occur in the following releases on all platforms:

  • Sun Java System Web Server 6.1
  • Sun Java System Web Server 6.1 Service Pack 1 and earlier


  1. Releases of Sun Java System Web Server prior to 6.1 are not affected.
  2. This is an issue only if the sample application is deployed. It is not deployed by default.

For supported architectures and OS versions see


There are no reliable symptoms that would indicate the described issue has been exploited.


There is no workaround. Please see the "Resolution" section.

Note: Customers should review the aforementioned CERT documents in addition to the following URL for information on how to mitigate the risks of these issues including details on hardening web servers, modifying web browsers to disable scripting languages, and advice for developers. See the practices numbered 18-22 at


This issue is addressed in the following release:

  • Sun Java System Web Server 6.1 Service Pack 2 and later

Sun Java System Web Server releases are available at

Modification History

Sun Java System Web Server 7.0

This solution has no attachment