Note: This is an archival copy of Security Sun Alert 201348 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001021.1.
Article ID : 1001021.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-07-02
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Cross-site Scripting Vulnerability (XSS) Affecting Pages Generated with JavaDoc Tool

Category
Security

Release Phase
Resolved

Product
Java 2 Platform, Standard Edition

Bug Id
6490790

Date of Resolved Release
28-JUN-2007

Impact

A defect in the Javadoc tool in various releases of the JDK may lead to the generation of HTML documentation pages which contain a potential cross-site scripting (XSS) vulnerability. This may allow a remote user to gain access to cookies from the website that hosts the generated documentation.

Sun acknowledges, with thanks, Martin Straka, for bringing this issue to our attention.


Contributing Factors

This issue can occur in the following releases for all platforms (Solaris, Linux, and Windows):

  • JDK 5.0 Update 11 and earlier
  • JDK 6

Note: The Javadoc tool included in SDK 1.4.x and earlier is not affected by this issue.

To determine the version of Java on a system, the following command can be run:

    % java -version
    java version "1.5.0_02-b09"

For this vulnerability to be exploited, a user must click a link (created by a malicious user) in a website or email that points to a vulnerable "index.html" documentation page. The user's cookies from the website that hosts the "index.html" documentation page may then be accessed by the malicious user.


Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.


Workaround

Please see the "Note" in the Resolution section below.


Resolution

This issue is addressed in the following releases for all platforms (Solaris, Linux, and Windows):

  • JDK 5.0 Update 12 or later
  • JDK 6 Update 1 or later

J2SE 5.0 Update 12 for Solaris is available in the following patches:

  • J2SE 5.0: update 12 (as delivered in patch 118666-12)
  • J2SE 5.0: update 12 (as delivered in patch 118667-12 (64bit))
  • J2SE 5.0_x86: update 12 (as delivered in patch 118668-12)
  • J2SE 5.0_x86: update 12 (as delivered in patch 118669-12 (64bit))

JDK 5.0 is available for download at the following link:

http://java.sun.com/javase/downloads/index_jdk5.jsp

Java SE 6 Update 1 for Solaris is available in the following patches:

  • Java SE 6: update 1 (as delivered in patch 125136-01)
  • Java SE 6: update 1 (as delivered in patch 125137-01 (64bit))
  • Java SE 6_x86: update 1 (as delivered in patch 125138-01)
  • Java SE 6_x86: update 1 (as delivered in patch 125139-01 (64bit))

JDK 6 is available for download at the following link:

http://java.sun.com/javase/downloads/index.jsp

Note: In order to fully resolve this issue, any "index.html" page that was generated with an affected version of the Javadoc tool must be regenerated using a Javadoc tool in one of the releases mentioned in this resolution section.



Modification History
Date: 03-JUL-2007
  • Updated Resolution section


References

125136-01
125137-01
125138-01
125139-01
118666-12
118667-12
118668-12
118669-12




Attachments
This solution has no attachment