Note: This is an archival copy of Security Sun Alert 201453 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001094.1.
Article ID : 1001094.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Sun One Web Server Log Analyzer Vulnerability

Category
Security

Release Phase
Resolved

Bug Id
4855546

Date of Resolved Release
14-NOV-2003

Impact

When the Sun ONE Web Server is configured to log client hostnames instead of IP addresses, it may be possible for an attacker to embed malicious code in the log file.

This issue is described at: http://www.securityfocus.com/bid/7012


Contributing Factors

This issue can occur in the following releases:

  • Sun ONE/iPlanet Web Server 6.0 Service Pack 5 and earlier
  • Sun ONE/iPlanet Web Server 4.1 Service Pack 12 and earlier

Symptoms

There are no reliable symptoms that would show the described issue has been exploited.


Workaround

To work around the described issue, log with the IP address (this is the default setting) instead of the hostname.


Resolution

The described issue is addressed in the following releases:

  • Sun ONE/iPlanet Web Server 6.0 Service Pack 6 or later

Available at: http://wwws.sun.com/software/download/products/3f186391.html

  • Sun ONE/iPlanet Web Server 4.1 Service Pack 13 or later

Available at: http://wwws.sun.com/software/download/products/3f8472da.html



Modification History

Product
iPlanet Web Server 6.0 Enterprise Edition








































Attachments
This solution has no attachment