Note: This is an archival copy of Security Sun Alert 200806 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000610.1.
Article ID : 1000610.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Sun One Application Server May Disclose JSP Source


Release Phase

Bug Id
4838909, 4773335, 4840324, 4733798

Date of Workaround Release

Date of Resolved Release


SPI Labs have reported the following issues with Sun ONE Application Server.

1. JSP Source code Disclosure

  • It may be possible to view the source code of JSP applications deployed on the Windows platform.

2. Log evasion

  • When a request is sent to the Application Server with a long URI only the first 4042 characters of the request URI are logged.

3. Cross-site scripting

  • A sample application shipped with the product may be vulnerable to cross-site scripting attacks.

4. Statefile permissions on Windows

  • A statefile is created during installation of the Application Server. This file can be used as a template for silent installation on other machines. On the Windows platform, this file is world-readable.

These issues are described in the SPI Security Advisory located at:

Contributing Factors

These issues can occur in the following releases:

  • Sun ONE Application Server 7.0 SE
  • Sun ONE Application Server 7.0 PE

For supported architectures and OS versions see:

Standard Edition:

Platform Edition:


Log evasion

The following error message may be found in the server log:

    WARNING: HTTP4198: flex log buffer overflow- greater than 4096 character


The following are workarounds for the cross-site scripting and the statefile permission issues:

1. Cross-site scripting

Un-deploy webapp-simple.ear if it is deployed. The deployed application will be in the following directory:


The admin GUI will also show the deployed applications.

Note: Both AS_INSTALL and AS_DEF_DOMAINS_PATH are defined in the asenv.conf file

2. Statefile permissions on Windows

When installing the SunONE Application Server on Windows, the default installation directory is "C:\sun"

Any file or directory created in this directory will be world-readable. The "statefile" located at "C:\sun\appserver7\statefile" contains a plain text username and password to the administrative server. After installation, the administrator can change the permission of this file for use to "administrator only" or delete this file since it's main purpose is for silent installation using this file on multiple machines.


The cross-site scripting issue has been addressed with Sun ONE Application Server 7.0 Update Release 1 or later.

It is available for download at:

Standard Edition:

Platform Edition:

The logging and JSP source code issues has been addressed with SunONE Application Server 7.0 Update release 2 or later.

It is available for download at:

Note: Administrators installing the Sun ONE Application Server on Windows should either change the permission of the statefile or delete the file. There will not be a code fix for this issue. The recommendation to change permissions or delete the statefile will be documented in the release notes of Update 2.

Modification History
Date: 19-DEC-2003
  • Updated Resolution section
  • Changed State to Resolved

Sun ONE Application Server 7, Platform Edition
Sun ONE Application Server 7, Standard Edition

This solution has no attachment