Note: This is an archival copy of Security Sun Alert 231467 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1018981.1.
Sun Java System Web Server 6.1 Service Pack 9
Sun Java System Web Server 7.0 Update 2
Date of Resolved Release
Cross-Site Scripting Vulnerability in Sun Java System Web Server Search Module
A cross-site scripting (XSS) vulnerability in the Sun Java System Web Server search module may allow a local or remote unprivileged user the ability to execute arbitrary scripts on the system hosting the web server.
2. Contributing Factors
This issue can occur in the following releases:
$ <WS-install>/https-<host>/start -version(Where <WS-install> is the installation directory of the Web Server and <host> should be the actual host name on which the Web Server is installed).
To determine the version of Sun Java System Web Server 7.0 on a system, the following command can be run:
$ <WS-install>/bin/wadm --version(Where <WS-install> is the installation directory of the Web Server).
There are no predictable symptoms that would indicate the described issue has been exploited.
To work around the described issue, edit the default search web application file named "index.jsp" which is located at "<WS-install>/lib/webapps/search/index.jsp" to remove the line containing the text "out.println(s);".
This issue is addressed in the following releases:
then choose Web & Proxy Servers -> Web Servers
For more information on Security Sun Alerts, see 1009886.1.
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
This solution has no attachment