Note: This is an archival copy of Security Sun Alert 201453 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001094.1.
Date of Resolved Release
When the Sun ONE Web Server is configured to log client hostnames instead of IP addresses, it may be possible for an attacker to embed malicious code in the log file.
This issue is described at: http://www.securityfocus.com/bid/7012
This issue can occur in the following releases:
There are no reliable symptoms that would show the described issue has been exploited.
To work around the described issue, log with the IP address (this is the default setting) instead of the hostname.
The described issue is addressed in the following releases:
iPlanet Web Server 6.0 Enterprise Edition
This solution has no attachment