|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[SA13090] Sun Java System Application Server HTTP TRACE Response Cross-Site Scripting
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Thu Nov 04 2004 - 04:36:15 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
----------------------------------------------------------------------
Monitor, Filter, and Manage Security Information
- Filtering and Management of Secunia advisories
- Overview, documentation, and detailed reports
- Alerting via email and SMS
Request Trial:
https://ca.secunia.com/?f=l
----------------------------------------------------------------------
TITLE:
Sun Java System Application Server HTTP TRACE Response Cross-Site
Scripting
SECUNIA ADVISORY ID:
SA13090
VERIFY ADVISORY:
http://secunia.com/advisories/13090/
CRITICAL:
Not critical
IMPACT:
Cross Site Scripting
WHERE:
From remote
SOFTWARE:
Sun Java System Application Server (Sun ONE) 7.x
http://secunia.com/product/1534/
DESCRIPTION:
Sun has acknowledged a problem in Sun Java System Application Server,
which potentially can be exploited to conduct cross-site scripting
attacks against users.
The problem is that Sun Java System Application Server by default
responds to HTTP TRACE requests. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site when combined with certain other vulnerabilities.
The problem affects the following versions:
* Sun Java System Application Server Standard Edition 7 and later
updates
* Sun Java System Application Server Standard Edition 7 2004Q2 and
later updates
* Sun Java System Application Server Platform Edition 7 and later
updates
SOLUTION:
Disable HTTP TRACE support, if this is considered a problem.
ORIGINAL ADVISORY:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57670-1
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]