---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Sun Java System Server Products HTTP Request Smuggling SECUNIA ADVISORY ID: SA23186 VERIFY ADVISORY: http://secunia.com/advisories/23186/ CRITICAL: Less critical IMPACT: Security Bypass, Cross Site Scripting, Manipulation of data WHERE: >From remote SOFTWARE: Sun Java System Web Server (Sun ONE/iPlanet) 6.x http://secunia.com/product/92/ Sun Java System Web Proxy Server 3.x http://secunia.com/product/2880/ Sun Java System Application Server 8.x http://secunia.com/product/3509/ Sun Java System Application Server (Sun ONE) 7.x http://secunia.com/product/1534/ Sun Java System Web Proxy Server 4.x http://secunia.com/product/12788/ DESCRIPTION: Sun has acknowledged a vulnerability in various Sun Java System Server products, which can be exploited by malicious people to conduct HTTP request smuggling attacks. The vulnerability is caused due to an unspecified error within the handling of HTTP requests when using Sun Java System Proxy Server in conjunction with the Sun Java System Web Server or the Sun Java System Application Server. Successful exploitation allows poisoning of the web proxy cache, bypass of certain web application firewall protections, or cross-site scripting attacks. SOLUTION: Apply service packs and patches. -- SPARC Platform -- * Sun Java System Proxy Server 3.6 Service Pack 8 or later * Sun Java System Proxy Server 4.0 Service Pack 1 or later * Sun Java System Web Server 6.0 Service Pack 10 or later * Sun Java System Web Server 6.1 2005Q1 Service Pack 5 or later * Sun ONE Application Server 7 Update 8 or later * Sun Java System Application Server 7 2004Q2 Update 4 or later * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119169-02 or (SVR4) patch 119166-09 or later * Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119173-01 or later -- x86 Platform -- * Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119174-01 or later * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119170-02 or (SVR4) patch 119167-09 or later -- Linux Platform -- * Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119175-01 or later * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119171-02 or (Pkg) patch 119168-09 or later -- Windows Platform -- * Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file based) patch 119176-01 or later * Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file based) patch 119172-07 or (native) patch 121528-01 Sun Java System Proxy Server 3.6 Service Pack 8 or later is available at: http://www.sun.com/download/products.xml?id=42fa5c49 Sun Java System Proxy Server 4.0 Service Pack 1 or later is available at: http://www.sun.com/download/products.xml?id=4384b5dd Sun Java System Web Server 6.0 Service Pack 10 or later is available at: http://www.sun.com/download/products.xml?id=43a84f89 Sun Java System Web Server 6.1 2005Q1 Service Pack 5 or later is available at: http://www.sun.com/download/products.xml?id=434aec1d http://www.sun.com/download/products.xml?id=43c43041 (International Edition) Sun ONE Application Server 7 Update 8 or later is available at: http://www.sun.com/download/products.xml?id=438cfb75 (Platform Edition) http://www.sun.com/download/products.xml?id=438cf33d (Standard Edition) Sun Java System Application Server 7 2004Q2 Update 4 or later is available at: http://www.sun.com/download/products.xml?id=4331ff42 (Standard Edition) http://javashoplm.sun.com/ECom/docs/Welcome.jsp?StoreId=8&PartDetailId=SJAS72004Q2U4-EE-OTH-G-ES (Enterprise Edition) PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102733-1 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------