---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Learn more: http://secunia.com/network_software_inspector_2/ ---------------------------------------------------------------------- TITLE: Sun Java System Web Server Search Module Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA30133 VERIFY ADVISORY: http://secunia.com/advisories/30133/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Sun Java System Web Server (Sun ONE/iPlanet) 6.x http://secunia.com/product/92/ Sun Java System Web Server 7.x http://secunia.com/product/14474/ DESCRIPTION: Sun has acknowledged a vulnerability in Sun Java System Web Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the lib/webapps/search/index.jps script of the search module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. SOLUTION: Apply patches. -- SPARC Platform -- Sun Java System Web Server 6.1: Apply Service Pack 9 or later Sun Java System Web Server 6.1: Apply patch 116648-21 or later Sun Java System Web Server 7.0: Apply Update 2 or later Sun Java System Web Server 7.0: Apply patch 125437-13 or later -- x86 Platform -- Sun Java System Web Server 6.1: Apply Service Pack 9 or later Sun Java System Web Server 6.1: Apply patch 116649-21 or later Sun Java System Web Server 7.0: Apply Update 2 or later Sun Java System Web Server 7.0: Apply patch 125438-13 or later -- Linux -- Sun Java System Web Server 6.1: Apply Service Pack 9 or later Sun Java System Web Server 6.1: Apply patch 118202-13 or later Sun Java System Web Server 7.0: Apply Update 2 or later Sun Java System Web Server 7.0: Apply patch 125439-11 or later -- Windows -- Sun Java System Web Server 6.1: Apply Service Pack 9 or later Sun Java System Web Server 6.1: Apply patch 121524-05 or later Sun Java System Web Server 7.0: Apply Update 2 or later Sun Java System Web Server 7.0: Apply patch 125441-12 or later -- HP-UX -- Sun Java System Web Server 6.1: Apply Service Pack 9 or later Sun Java System Web Server 6.1: Apply patch 121510-05 or later Sun Java System Web Server 7.0: Apply Update 2 or later Sun Java System Web Server 7.0: Apply patch 125440-11 or later -- AIX -- Sun Java System Web Server 6.1: Apply Service Pack 9 or later ORIGINAL ADVISORY: http://sunsolve.sun.com/search/document.do?assetkey=1-66-231467-1 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------