The Solaris Management Console (smc(1M)) is a graphical user interface that provides access to Solaris system administration tools which includes a web server that runs on port 898. This SMC web server enables the HTTP TRACE method by default which may allow a local or remote unprivileged user the ability to access sensitive information, such as cookies or authentication data, contained in the HTTP headers of an HTTP TRACE request.

This issue is described in the CERT Vulnerability VU#867593 (see http://www.kb.cert.org/vuls/id/867593).

Note: The HTTP TRACE method asks a web server to echo the contents of the request back to the client for debugging purposes. The HTTP TRACE method is described in the HTTP 1.1 standard (RFC 2616, section 9.8). The TRACE method is enabled by default in Solaris Management Console (SMC) webserver.

A security vulnerability in the "/etc/init.d/slsadmin" script in PC NetLink 2.0 may allow files to be opened insecurely, which could allow an unprivileged local user the ability to write to the filesystem with the permissions of the user running "slsadmin." If "slsadmin" is run as "root," it may allow a local unprivileged user to gain elevated privileges on the system and run arbitrary commands.

A security vulnerability in the "/opt/lanman/sbin/slsmgr" command in PC NetLink 2.0 may allow files to be opened insecurely, which could allow an unprivileged local user the ability to write to the filesystem with the permissions of the user running "slsmgr." If "slsmgr" is run as "root," it may allow a local unprivileged user to gain elevated privileges on the system and run arbitrary commands.

A remote unprivileged user may be able to crash a Sun Java System Web Server or a Sun Java System Application Server which is configured to use SSL. Being able to crash an application is a type of Denial of Service (DoS).

A Security Vulnerability in Communications Services Delegated Administrator 2005Q1 may allow a remote unauthorized user the ability to gain access to the Top-Level Administrator (TLA) default password.

A remote privileged user may be able to attempt an IKE exchange using a malformed payload, which could cause the in.iked(1M) process to crash, causing a Denial of Service (DoS) of IPSec key management services.

This issue is revealed by the test suite which is described in NISCC vulnerability #273756, which is available at http://www.uniras.gov.uk/niscc/docs/br-20051114-01013.html?lang=en

Solaris 10 with Sun Update Connection Services, a web proxy password may be visible to unauthorized local users on the affected system and also in the web proxy log files at the web proxy server. In addition, this issue prevents Sun Update Connection from authenticating to the web proxy server.

Sun Acknowledges with thanks Nicholas Brealey of Culham Electromagnetics and Lightning for bringing this issue to our attention.

A security vulnerability exists in the Proxy Plug-in for certain Sun ONE and Java System Application Server products when the plug-in is used with a supported web server, such as Sun Java System Web Server, Apache Web Server or Microsoft Internet Information Server (IIS). This vulnerability may allow a "Man-in-the-Middle" condition to be exploited and possibly compromise data privacy between the client and the server.

Note: Though not impossible, it will be difficult to carry out this exploit from outside the firewall in front of the web server.

A remote unprivileged user may be able to crash the X Display Manager (xdm(1)) when using an invalid X Display Manager Control Protocol (XDMCP) request, thus causing a Denial of Service (DoS).

A security vulnerability which affects the Xsun(1) and Xprt(1) commands may allow a a local unprivileged user the ability to execute arbitrary code with the privileges of either the Xsun(1) or Xprt(1) command.

Sun acknowledges, with thanks, Eric Sheridan of Towson University for bringing this issue to our attention.