JVN#03D5EAA8: Sun Java System Web Server cross-site scripting vulnerability

Overview

Sun Java System Web Server (originally called Sun ONE Web Server) contains a cross-site scripting vulnerability. A vulnerable web server does not adequately validate the HTTP REFERER header before using the contents in the default error page.

Products Affected

For more information, refer to the vendor's website.

On May 19, 2006, the Sun Alert regarding this issue was published.

Description

Impact

A malicious script may be executed on the user's web browser.

Solution

Vendor Status

Vendor	Status	Last Update
bug	Not Vulnerable	2006/05/17
FUJITSU LIMITED	Vulnerable	2015/10/13
nec	Not Vulnerable	2006/05/17

Vendor	Link
Sun Microsystems	Cross Site Scripting Vulnerability in Sun ONE and Sun Java System Applications
	Sun Java System Application Server, Enterprise Edition 7 2004Q2 Update 4

References

US-CERT
Sun ONE and Sun Java System Applications vulnerable to cross-site scripting via default error page

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

LAC Co., Ltd reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2006-2501
JVN iPedia	JVNDB-2006-000293

Update History

2015/10/21: FUJITSU LIMITED update status

JVN#03D5EAA8 Sun Java System Web Server cross-site scripting vulnerability