Overview
» IDS/IPS Signatures
Security Sites
Products
White Papers
Data Sheets
Case Studies
Support Login
Locate a Partner
iPolicy Networks Security Advisory
 

Sun Java System Web Server Advanced Search Mechanism XSS Vulnerability

Date Discovered: 06/03/2008
Severity: Medium
Vulnerability Identifiers: CVE-2008-2518
BID-29355
Applications Affected: Sun Java System Web Server 6.1
Sun Java System Web Server 6.1 SP1
Sun Java System Web Server 6.1 SP2
Sun Java System Web Server 6.1 SP3
Sun Java System Web Server 6.1 SP4
Sun Java System Web Server 6.1 SP5
Sun Java System Web Server 6.1 SP6
Sun Java System Web Server 6.1 SP7
Sun Java System Web Server 6.1 SP8
Sun Java System Web Server 7.0
Sun Java System Web Server 7.0 Update_1
Sun Java System Web Server 7.0 Update_2
Synopsis
Vulnerability has been discovered in Sun Java System Web Server’s advance search which allows remote attackers to perform Cross-Site Scripting attack on the system installed with vulnerable versions of the application.
Recommended Actions
Update the patches as guided by vendor at :
http://sunsolve.sun.com/search/document.do?assetkey=1-26-236481-1
Threat Analysis
Java System Web Server of Sun Microsystems is the leading Web server which delivers a single, secure infrastructure for all Web technologies and applications.

The Server is prone to Cross-Site Scripting vulnerability in the advanced search feature.It does not properly sanitize the user inputs to the “advanced.jsp” script before processing. A remote attacker can exploit this issue and perform the cross site scripting attack. Attacker can craft the malicious file and entice the user to execute this malicious code with respect to the browser.

The Cross-Site Scripting attack can lead to stealing of sensitive information like cookies value, authentication credential of the victim.
References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2518
http://www.securityfocus.com/bid/29355/info

Write-up by: Kapila Rattan
Security Sites
 
“iPolicy is one of the most visionary firewall vendors in the firewall Magic Quadrant. Its architecture of a central session processing engine and multiple content blades that are able to block based on signatures, rules and so on is the closest to the network security ideal.”
 
Greg Young, John Pescatore
Magic Quadrant for Network Firewalls, 2H04, Gartner
 

 
Home | About Us | Products | Technology | Solutions | Support | Partners | News & Events | Resources | Contact Us
Copyright ©2008 iPolicy Networks - Security Product Division of Tech Mahindra Limited | Privacy Policy | Site Map