Note: This is an archival copy of Security Sun Alert 201009 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000761.1.
Date of Resolved Release
The sample application "webapps-simple" included with Sun Java System Web Server 6.1 (formerly Sun ONE Web Server 6.1), may be vulnerable to cross-site scripting attacks.
Due to this cross-site scripting vulnerability, users may unintentionally execute scripts in their browser written by a remote unprivileged user if they follow untrusted links/URIs in web pages, mail messages, or newsgroup postings. By following these untrusted links/URIs, the remote attacker may be able to execute commands with the privileges of the user who accessed the link/URI.
This issue is described in the SPI Security Advisory located at http://www.securityfocus.com/archive/1/322946/2003-05-25/2003-05-31/0.
In addition, see the following URLs for details about cross-site scripting and web script vulnerabilities:
This issue can occur in the following releases on all platforms:
For supported architectures and OS versions see http://wwws.sun.com/software/products/web_srvr/home_web_srvr.html.
There are no reliable symptoms that would indicate the described issue has been exploited.
There is no workaround. Please see the "Resolution" section.
Note: Customers should review the aforementioned CERT documents in addition to the following URL for information on how to mitigate the risks of these issues including details on hardening web servers, modifying web browsers to disable scripting languages, and advice for developers. See the practices numbered 18-22 at http://www.cert.org/security-improvement/.
This issue is addressed in the following release:
Sun Java System Web Server releases are available at http://wwws.sun.com/software/download/inter_ecom.html#webs.
Sun Java System Web Server 7.0
This solution has no attachment