Note: This is an archival copy of Security Sun Alert 236481 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019174.1.
Sun Java System Web Server 6.1
Sun Java System Web Server 7.0
Date of Resolved Release
Cross-Site Scripting Vulnerability in the Sun Java System Web Server Advanced Search Mechanism
2. Contributing Factors
This issue can occur in the following releases:
$ <WS-install>/https-<host>/start -version(Where <WS-install> is the installation directory of the Web Server and <host> should be the actual host name on which the Web Server is installed).
To determine the version of Sun Java System Web Server 7.0 on a system, the following command can be run:
$ <WS-install>/bin/wadm --version(Where <WS-install> is the installation directory of the Web Server).
There are no predictable symptoms that would indicate the described issue has been exploited.
The following file can be edited to workaround this issue:
by removing the following lines:
<input type=hidden name="next" value="<%=rquest.getParameter("next")%>">
This issue is addressed in the following releases:
Sun Java System Web Server 7.0 Update 3 are available at
Under "Web and Proxy Servers" --> "Web Servers"
For more information on Security Sun Alerts, see 1009886.1.
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
11-Jul-2008: Updated Resolution section
10-Oct-2008: Patch 125441-13 (Windows) released
This solution has no attachment