« Sun Alert 238416 A... | Main | Sun Alert 242266... »
05 Jan 2009 Sun Alert 201538 Sun Java System Access Manager Does Not Securely Process XSLT Stylesheets contained in XML Signatures contained in XML Signatures
posted by security in Alerts
Product: Sun Java System Access Manager 6 2005Q1 Sun Java System Access Manager 7.1 Sun Java System Identity Server 6.1 Sun Java System Identity Server 6.2 Sun Java System Access Manager 7 2005Q4

The Sun Java System Access Manager may not securely process XSLT stylesheets which are contained inside XSLT Transforms in XML Signatures.

A remote user who is able to create such an XML Signature which is viewed locally with Access Manager may be able to execute arbitrary code with the privileges of the Access Manager application. Access Manager is run by a web container application, such as the Sun Java System Application Server, and thus the privileges of Access Manager are the same as the configured web container application.

Sun acknowledges with thanks, Brad Hill of iSEC Partners for bringing this issue to our attention.


State: Resolved
First released: 26-Jun-2008
Sun Alert Link: http://sunsolve.sun.com/search/document.do?assetkey=1-66-201538-1
Permalink | Comments [0]
Trackback URL: http://blogs.sun.com/security/entry/sun_alert_201538_sun_java
Comments:

Post a Comment:

Name:
E-Mail:
URL:

Your Comment:

HTML Syntax: NOT allowed

« Sun Alert 238416 A... | Main | Sun Alert 242266... »

Sun Certified Security Administrator

Download Solaris
Patches and Updates
Download Solaris Security Toolkit

« November 2009
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today


Company Info   |   Contact   |   Terms of Use   |   Privacy   |   Trademarks   |   Copyright 2008 Sun Microsystems, Inc.