---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Interstage Application Server Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26660 VERIFY ADVISORY: http://secunia.com/advisories/26660/ CRITICAL: Less critical IMPACT: Security Bypass, Cross Site Scripting WHERE: >From remote SOFTWARE: Interstage Studio 8.x http://secunia.com/product/13690/ Interstage Job Workload Server 8.x http://secunia.com/product/13686/ Interstage Business Application Server 8.x http://secunia.com/product/13687/ Interstage Apworks 7.x http://secunia.com/product/13689/ Interstage Apworks 6.x http://secunia.com/product/13688/ Interstage Application Server 8.x http://secunia.com/product/13685/ Interstage Application Server 7.x http://secunia.com/product/13692/ Interstage Application Server 6.x http://secunia.com/product/13693/ Interstage Studio 9.x http://secunia.com/product/15610/ DESCRIPTION: Some vulnerabilities and security issues have been reported in Interstage Application Server, which can be exploited by malicious people to conduct cross-site scripting attacks or bypass certain security restrictions. 1) A vulnerability exists in the Tomcat Servlet Service when processing multiple content-length headers. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) A security issue in the Tomcat Servlet Service can be exploited to bypass access restrictions imposed on web applications. For more information: SA24732 3) Input passed via the "Accept-Language" header to the Tomcat Servlet Service is not properly sanitised before being returned to the user. This can be exploited to conduct cross-site scripting attacks. For more information: SA25721 Please see the vendor advisories for a list of affected products. SOLUTION: The vendor is working on patches. Please contact a Fujitsu system engineer. Filter malicious characters and character sequences in a web proxy. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: 1) http://www.fujitsu.com/global/support/software/security/products-f/interstage-200703e.html 2) http://www.fujitsu.com/global/support/software/security/products-f/interstage-200702e.html 3) http://www.fujitsu.com/global/support/software/security/products-f/interstage-200704e.html OTHER REFERENCES: SA24732: http://secunia.com/advisories/24732/ SA25721: http://secunia.com/advisories/25721/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------