CVE-2006-2501
CVSS6.8
发布时间 :2006-05-19 23:02:00
修订时间 :2011-03-07 21:36:19
NMCO    

[原文]Cross-site scripting (XSS) vulnerability in Sun ONE Web Server 6.0 SP9 and earlier, Java System Web Server 6.1 SP4 and earlier, Sun ONE Application Server 7 Platform and Standard Edition Update 6 and earlier, and Java System Application Server 7 2004Q2 Standard and Enterprise Edition Update 2 and earlier, allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors, possibly involving error messages.


[CNNVD]Sun ONE/Sun Java System 应用程序错误页 跨站脚本攻击漏洞(CNNVD-200605-358)

        Sun ONE Web Server 6.0 SP9及之前版本, Java System Web Server 6.1 SP4及之前版本, Sun ONE Application Server 7 Platform和Standard Edition Update 6及之前版本 , 以及Java System Application Server 7 2004Q2 Standard和Enterprise Edition Update 2及之前版本存在跨站脚本攻击(XSS)漏洞。远程攻击者可以借助可能与错误讯息有关的未知攻击向量,注入任意Web脚本或HTML。

- CVSS (基础分值)

CVSS分值: 6.8 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:sun:one_web_server:6.0:sp7
cpe:/a:sun:java_system_web_server:6.1:sp4Sun Java System Web Server 6.1 SP4
cpe:/a:sun:one_application_server:7.0::standard
cpe:/a:sun:java_system_web_server:6.1Sun Java System Web Server 6.1
cpe:/a:sun:one_application_server:6.0:sp1
cpe:/a:sun:one_web_server:6.0:sp4
cpe:/a:sun:one_application_server:7.0:update_6:standard
cpe:/a:sun:java_system_web_server:6.1:sp2Sun Java System Web Server 6.1 SP2
cpe:/a:sun:java_system_web_server:6.1:sp3Sun Java System Web Server 6.1 SP3
cpe:/a:sun:java_system_application_server:7.0:ur2:enterprise
cpe:/a:sun:one_application_server:6.0Sun ONE Application Server 6.0
cpe:/a:sun:one_web_server:6.0:sp9
cpe:/a:sun:java_system_application_server:7.0:ur2:standard
cpe:/a:sun:one_application_server:7.0::platform
cpe:/a:sun:one_web_server:6.0:sp8
cpe:/a:sun:java_system_web_server:6.1:sp1Sun Java System Web Server 6.1 SP1
cpe:/a:sun:one_application_server:7.0:update_6:platform
cpe:/a:sun:one_application_server:6.0:sp2
cpe:/a:sun:one_web_server:6.0:sp5
cpe:/a:sun:one_web_server:6.0:sp3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2501
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2501
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-358
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/114956
(UNKNOWN)  CERT-VN  VU#114956
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102164-1
(PATCH)  SUNALERT  102164
http://secunia.com/advisories/20147
(VENDOR_ADVISORY)  SECUNIA  20147
http://jvn.jp/jp/JVN%2303D5EAA8/index.html
(PATCH)  JVN  JVN#03D5EAA8
http://xforce.iss.net/xforce/xfdb/26550
(UNKNOWN)  XF  sun-java-system-xss(26550)
http://www.vupen.com/english/advisories/2006/1866
(UNKNOWN)  VUPEN  ADV-2006-1866
http://www.securityfocus.com/bid/18035
(UNKNOWN)  BID  18035
http://securitytracker.com/id?1016126
(UNKNOWN)  SECTRACK  1016126
http://securitytracker.com/id?1016125
(UNKNOWN)  SECTRACK  1016125

- 漏洞信息

Sun ONE/Sun Java System 应用程序错误页 跨站脚本攻击漏洞
中危 跨站脚本
2006-05-19 00:00:00 2006-10-31 00:00:00
远程  
        Sun ONE Web Server 6.0 SP9及之前版本, Java System Web Server 6.1 SP4及之前版本, Sun ONE Application Server 7 Platform和Standard Edition Update 6及之前版本 , 以及Java System Application Server 7 2004Q2 Standard和Enterprise Edition Update 2及之前版本存在跨站脚本攻击(XSS)漏洞。远程攻击者可以借助可能与错误讯息有关的未知攻击向量,注入任意Web脚本或HTML。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Sun ONE Web Server 6.0 SP5
        Sun Sun ONE Web Server 6.0 Service Pack 10
        http://www.sun.com/download/products.xml?id=43a84f89
        Sun ONE Web Server 6.0 SP9
        Sun Sun ONE Web Server 6.0 Service Pack 10
        http://www.sun.com/download/products.xml?id=43a84f89
        Sun ONE Web Server 6.0 SP4
        Sun Sun ONE Web Server 6.0 Service Pack 10
        http://www.sun.com/download/products.xml?id=43a84f89
        Sun ONE Web Server 6.0 SP7
        Sun Sun ONE Web Server 6.0 Service Pack 10
        http://www.sun.com/download/products.xml?id=43a84f89
        Sun ONE Web Server 6.0 SP6
        Sun Sun ONE Web Server 6.0 Service Pack 10
        http://www.sun.com/download/products.xml?id=43a84f89
        Sun ONE Web Server 6.0
        Sun Sun ONE Web Server 6.0 Service Pack 10
        http://www.sun.com/download/products.xml?id=43a84f89
        Sun ONE Web Server 6.0 SP2
        Sun Sun ONE Web Server 6.0 Service Pack 10
        http://www.sun.com/download/products.xml?id=43a84f89
        Sun ONE Web Server 6.0 SP3
        Sun Sun ONE Web Server 6.0 Service Pack 10
        http://www.sun.com/download/products.xml?id=43a84f89
        Sun ONE Web Server 6.0 SP8
        Sun Sun ONE Web Server 6.0 Service Pack 10
        http://www.sun.com/download/products.xml?id=43a84f89
        Sun ONE Web Server 6.0 SP1
        Sun Sun ONE Web Server 6.0 Service Pack 10
        http://www.sun.com/download/products.xml?id=43a84f89
        Sun Java System Web Server 6.1 SP4
        Sun Sun Java System Web Server 6.1 Service Pack 5
        http://www.sun.com/download/products.xml?id=434aec1d
        Sun Java System Web Server 6.1 SP3
        Sun Sun Java System Web Server 6.1 Service Pack 5
        http://www.sun.com/download/products.xml?id=434aec1d
        Sun Java System Web Server 6.1 SP1
        Sun Sun Java System Web Server 6.1 Service Pack 5
        http://www.sun.com/download/products.xml?id=434aec1d
        Sun Java System Web Server 6.1 SP2
        Sun Sun Java System Web Server 6.1 Service Pack 5
        http://www.sun.com/download/products.xml?id=434aec1d
        Sun Java System Web Server 6.1
        Sun Sun Java System Web Server 6.1 Service Pack 5
        http://www.sun.com/download/products.xml?id=434aec1d
        Sun ONE Application Server 7.0 UR1 Platform Edition
        Sun Sun ONE Application Server 7 Platform Edition Update 7
        http://www.sun.com/download/products.xml?id=42ae3178
        Sun ONE Application Server 7.0 UR2 Standard Edition
        Sun Sun ONE Application Server 7 Standard Edition Update 7
        http://www.sun.com/download/products.xml?id=42ae317c
        Sun ONE Application Server 7.0 Standard Edition
        Sun Sun ONE Application Server 7 Standard Edition Update 7
        http://www.sun.com/download/products.xml?id=42ae317c
        Sun Java System Application Server 7.0 2004Q2 R2 Standard
        Sun Sun Java System Application Server 7 2004Q2 Standard Edition Update 3
        http://www.sun.com/download/products.xml?id=4331ff42
        Sun Java System Application Server 7.0 2004Q2 R2 Enterprise
        Sun Sun Java System Application Server 7 2004Q2 Enterprise Edition Update 3
        http://javashoplm.sun.com/ECom/docs/Welcome.jsp?StoreId=8&PartDetailId =SJAS72004Q2U4-EE-OTH-G-ES&TransactionId=try
        Sun ONE Application Server 7.0 UR6 Standard Edition
        Sun Sun ONE Application Server 7 Standard Edition Update 7
        http://www.sun.com/download/products.xml?id=42ae317c
        Sun ONE Application Server 7.0 Platform Edition
        Sun Sun ONE Application Server 7 Platform Edition Update 7
        http://www.sun.com/download/products.xml?id=42ae3178
        Sun ONE Application Server 7.0 UR2 Platform Edition
        Sun Sun ONE Application Server 7 Platform Edition Update 7
        http://www.sun.com/download/products.xml?id=42ae3178
        Sun Java System Application Server 7.0 2004Q2 R1Enterprise
        Sun Sun Java System Application Server 7 2004Q2 Enterprise Edition Update 3
        http://javashoplm.sun.com/ECom/docs/Welcome.jsp?StoreId=8&PartDetailId =SJAS72004Q2U4-EE-OTH-G-ES&TransactionId=try
        Sun ONE Application Server 7.0 UR6 Platform Edition
        Sun Sun ONE Application Server 7 Platform Edition Update 7
        http://www.sun.com/download/products.xml?id=42ae3178
        Sun Java System Application Server 7.0 2004Q2 R1Standard
        Sun Sun Java System Application Server 7 2004Q2 Standard Edition Update 3
        http://www.sun.com/download/products.xml?id=4331ff42
        Sun ONE Application Server 7.0 UR2 Upgrade Platform
        Sun Sun ONE Application Server 7 Platform Edition Update 7
        http://www.sun.com/download/products.xml?id=42ae3178
        Sun ONE Application Server 7.0 UR2 Upgrade Standard
        Sun Sun ONE Application Server 7 Standard Edition Update 7
        http://www.sun.com/download/products.xml?id=42ae317c
        Sun ONE Application Server 7.0 UR1 Standard Edition
        Sun Sun ONE Application Server 7 Standard Edition Update 7
        http://www.sun.com/download/products.xml?id=42ae317c
        

- 漏洞信息

25634
Sun ONE/Java System Web Server Error Page XSS
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-05-18 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站