===================================================================== CERT-Renater Note d'Information No. 2004/VULN335 _____________________________________________________________________ DATE : 28/07/2004 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Sun Java System Web Server 6.1. ====================================================================== DOCUMENT ID: 57605 SYNOPSIS: Vulnerability In Sample Application Included With Sun Java System Web Server DETAIL DESCRIPTION: Sun(sm) Alert Notification * Sun Alert ID: 57605 * Synopsis: Vulnerability In Sample Application Included With Sun Java System Web Server * Category: Security * Product: Sun Java System Web Server * BugIDs: 4976454 * Avoidance: Upgrade * State: Resolved * Date Released: 21-Jul-2004 * Date Closed: 21-Jul-2004 * Date Modified: 1. Impact The sample application "webapps-simple" included with Sun Java System Web Server 6.1 (formerly Sun ONE Web Server 6.1), may be vulnerable to cross-site scripting attacks. Due to this cross-site scripting vulnerability, users may unintentionally execute scripts in their browser written by a remote unprivileged user if they follow untrusted links/URIs in web pages, mail messages, or newsgroup postings. By following these untrusted links/URIs, the remote attacker may be able to execute commands with the privileges of the user who accessed the link/URI. This issue is described in the SPI Security Advisory located at [1]http://www.securityfocus.com/archive/1/322946/2003-05-25/2003-05-31 /0. In addition, see the following URLs for details about cross-site scripting and web script vulnerabilities: [2]http://www.cert.org/archive/pdf/cross_site_scripting.pdf [3]http://www.cert.org/tech_tips/malicious_code_FAQ.html [4]http://www.cert.org/advisories/CA-2000-02.html 2. Contributing Factors This issue can occur in the following releases on all platforms: * Sun Java System Web Server 6.1 * Sun Java System Web Server 6.1 Service Pack 1 Notes: 1. Releases of Sun Java System Web Server prior to 6.1 are not affected. 2. This is an issue only if the sample application is deployed. It is not deployed by default. For supported architectures and OS versions see [5]http://wwws.sun.com/software/products/web_srvr/home_web_srvr.html. 3. Symptoms There are no reliable symptoms that would indicate the described issue has been exploited. SOLUTION SUMMARY: 4. Relief/Workaround There is no workaround. Please see the "Resolution" section. Note: Customers should review the aforementioned CERT documents in addition to the following URL for information on how to mitigate the risks of these issues including details on hardening web servers, modifying web browsers to disable scripting languages, and advice for developers. See the practices numbered 18-22 at [6]http://www.cert.org/security-improvement/. 5. Resolution This issue is addressed in the following release: * Sun Java System Web Server 6.1 Service Pack 2 and later Sun Java System Web Server releases are available at [7]http://wwws.sun.com/software/download/inter_ecom.html#webs. This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. _________________________________________________________________ _________________________________________________________________ APPLIES TO: ATTACHMENTS: References 1. http://www.securityfocus.com/archive/1/322946/2003-05-25/2003-05-31/0 2. http://www.cert.org/archive/pdf/cross_site_scripting.pdf 3. http://www.cert.org/tech_tips/malicious_code_FAQ.html 4. http://www.cert.org/advisories/CA-2000-02.html 5. http://wwws.sun.com/software/products/web_srvr/home_web_srvr.html 6. http://www.cert.org/security-improvement/ 7. http://wwws.sun.com/software/download/inter_ecom.html#webs ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================