Note: This is an archival copy of Security Sun Alert 201009 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000761.1.
Article ID : 1000761.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Vulnerability In Sample Application Included With Sun Java System Web Server

Category
Security

Release Phase
Resolved

Bug Id
4976454

Date of Resolved Release
21-JUL-2004

Impact

The sample application "webapps-simple" included with Sun Java System Web Server 6.1 (formerly Sun ONE Web Server 6.1), may be vulnerable to cross-site scripting attacks.

Due to this cross-site scripting vulnerability, users may unintentionally execute scripts in their browser written by a remote unprivileged user if they follow untrusted links/URIs in web pages, mail messages, or newsgroup postings. By following these untrusted links/URIs, the remote attacker may be able to execute commands with the privileges of the user who accessed the link/URI.

This issue is described in the SPI Security Advisory located at http://www.securityfocus.com/archive/1/322946/2003-05-25/2003-05-31/0.

In addition, see the following URLs for details about cross-site scripting and web script vulnerabilities:

http://www.cert.org/archive/pdf/cross_site_scripting.pdf

http://www.cert.org/tech_tips/malicious_code_FAQ.html

http://www.cert.org/advisories/CA-2000-02.html


Contributing Factors

This issue can occur in the following releases on all platforms:

  • Sun Java System Web Server 6.1
  • Sun Java System Web Server 6.1 Service Pack 1 and earlier

Notes:

  1. Releases of Sun Java System Web Server prior to 6.1 are not affected.
  2. This is an issue only if the sample application is deployed. It is not deployed by default.

For supported architectures and OS versions see http://wwws.sun.com/software/products/web_srvr/home_web_srvr.html.


Symptoms

There are no reliable symptoms that would indicate the described issue has been exploited.


Workaround

There is no workaround. Please see the "Resolution" section.

Note: Customers should review the aforementioned CERT documents in addition to the following URL for information on how to mitigate the risks of these issues including details on hardening web servers, modifying web browsers to disable scripting languages, and advice for developers. See the practices numbered 18-22 at http://www.cert.org/security-improvement/.


Resolution

This issue is addressed in the following release:

  • Sun Java System Web Server 6.1 Service Pack 2 and later

Sun Java System Web Server releases are available at http://wwws.sun.com/software/download/inter_ecom.html#webs.



Modification History

Product
Sun Java System Web Server 7.0










































Attachments
This solution has no attachment