search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Sun ONE and Sun Java System Applications vulnerable to cross-site scripting via default error page

Vulnerability Note VU#114956

Original Release Date: 2006-08-10 | Last Revised: 2006-08-15

Overview

A cross-site scripting vulnerability in Sun ONE and Sun Java System Applications may allow an attacker to read or modify data in web pages and cookies.

Description

From Sun Alert Notification 102164:


    A Cross Site Scripting (XSS) vulnerability in various releases of the Sun Java System Web Server and Sun Java System Application Server may allow an unprivileged local or remote user to steal cookie information, hijack sessions, or cause a loss of data privacy between a client and the server.
Vulnerable web servers do not adequately validate the contents of the HTTP REFERER header before using the contents in the default error page.

Sun states that the following products can be affected:
    • Sun ONE Web Server 6.0 Service Pack 9 and earlier
    • Sun Java System Web Server 6.1 Service Pack 4 and earlier
    • Sun ONE Application Server 7 Platform Edition Update 6 and earlier
    • Sun ONE Application Server 7 Standard Edition Update 6 and earlier
    • Sun Java System Application Server 7 2004Q2 Standard Edition Update 2 and earlier
    • Sun Java System Application Server 7 2004Q2 Enterprise Edition Update 2 and earlier
Sun ONE Web Server is derived from Netscape Enterprise Server. Netscape Enterprise Server was also ported to Novell Netware. Netscape Enterprise Server, iPlanet Web Server, Novell NetWare Enterprise Web Server, and other web servers derived from Netscape Enterprise Server may be affected.

Impact

By convincing a user to visit a web page, an attacker could read or modify the contents of web pages on a vulnerable web server. The attacker could read sensitive information, steal cookies, or modify the contents of a web page.

Solution

Apply an update
Please see Sun Alert Notification 102164 for information about updated software.


Change default error page

Change the default error page to not include the contents of the REFERER header. Red Hat has kindly provided instructions for changing the default error page on Netscape Enterprise Server 6.0.

Vendor Information

114956
 

Red Hat, Inc. Affected

Notified:  March 08, 2005 Updated: August 10, 2006

Status

Affected

Vendor Statement

Vendor Statement: Red Hat, Inc.

Netscape Enterprise Server 6.0 is vulnerable to this issue. A work around
that completely blocks this issue is available below. Please note that
Netscape Enterprise Server 6.0 is discontinued and Red Hat will not be
releasing software updates for this issue.

Workaround: Set a default error message for "Not Found" that does not
include a link to the referring page. To configure such a message, follow
these steps:

- Log into admin server
- Select an instance to manage
- Select Class Manager in the upper-right
- Select the Content Management tab
- Select Error Responses link in left frame
- You need to define a Custom Error Response for Error code: Not found.
- Add the entire path to a file under File, or redirect the user
elsewhere. See the Help button for more information.
- Save, then Apply to restart the server

Alternatively, manually add an error response, such as the following, to
obj.conf:

Error fn="send-error" reason="Not Found"
path="/path/to/docs/errors/notfound.html"

The content that Netscape Enterprise Server would send without the
referring site is:

<HEAD><META HTTP-EQUIV=\"Content-Type\"
CONTENT=\"text/html;charset=ISO-8859-1\"><TITLE>Not Found</TITLE></HEAD>
<H1>Not Found</H1> The requested object does not exist on this server. The
link you followed is either outdated, inaccurate, or the server has
been instructed not to let you have it.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems, Inc. Affected

Notified:  March 08, 2005 Updated: August 10, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Sun Alert Notification 102164.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Netscape Communications Corporation Unknown

Notified:  March 08, 2005 Updated: August 10, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Sun ONE, Netscape Enterprise Server, and Netscape iPlanet are (or were) related.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell, Inc. Unknown

Notified:  March 08, 2005 Updated: August 10, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Some Novell web server products are or were related to Netscape web servers.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to JPCERT/CC and IPA for reporting this vulnerability.

This document was written by Katie Washok and Art Manion.

Other Information

CVE IDs: CVE-2006-2501
Severity Metric: 14.50
Date Public: 2005-03-08
Date First Published: 2006-08-10
Date Last Updated: 2006-08-15 17:46 UTC
Document Revision: 32

Sponsored by CISA.