Sun ONE and Sun Java System Application Server Permit Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1016378
|
|
SecurityTracker URL: http://securitytracker.com/id?1016378
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 26 2006
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Sun Alert
|
Version(s): 7 prior to Update 9; 7 2004Q2 prior to Update 5; Enterprise Edition 8.1 2005 Q1
|
Description: A vulnerability was reported in the Sun ONE and Sun Java System Application Server. A remote user can conduct cross-site scripting attacks.
A remote user can create cause arbitrary scripting code to be executed by the target user's browser. The code will originate from
the site running the Sun software and will run in the security context of that site. As a result, the code will be able to access
the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by
the target user via web form to the site, or take actions on the site acting as the target user.
No details were provided.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
Sun software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as
the target user.
|
Solution: Sun has issued the following fixes.
SPARC Platform
* Sun ONE Application Server 7 Update 9 or later
* Sun Java System
Application Server 7 2004Q2 Update 5 or later
* Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (file
based) patch 119169-08 or later
* Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (SVR4) patch 119166-16
or later
x86 Platform
* Sun ONE Application Server 7 Update 9 or later
* Sun Java System Application Server 7 2004Q2
Update 5 or later
* Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (file based) patch 119170-08 or later
* Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (SVR4) patch 119167-16 or later
Linux Platform
* Sun ONE Application Server 7 Update 9 or later
* Sun Java System Application Server 7 2004Q2 Update 5 or later
*
Sun Java System Application Server Enterprise Edition 8.1 2005Q1 with (file based) patch 119171-08 or later
* Sun Java System
Application Server Enterprise Edition 8.1 2005Q1 with RHEL2.1/RHEL3.0 (Pkg_patch) 119168-16 or later
Windows Platform
* Sun ONE Application Server 7 Update 9 or later
* Sun Java System Application Server 7 2004Q2 Update 5 or later
* Sun
Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file based) patch 119172-08
Sun ONE Application Server 7
Update 9 and Sun Java System Application Server Update 5 can be downloaded at:
http://www.sun.com/download/index.jsp?cat=Application%20%26%20Integration%20Services&tab
=3
The Sun advisory is available at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102479-1
|
Vendor URL: sunsolve.sun.com/search/document.do?assetkey=1-26-102479-1 (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 26 Jun 2006 01:30:04 -0400
Subject: Cross-Site Scripting Vulnerability in Sun ONE and Sun Java System Application Server
|
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102479-1
|
|
