Two Sun Alerts for Search in Sun Java Web server
Tuesday Jul 29, 2008
There are two such Sun Alerts for XSS, one is for Search and the other is for Advanced Search.
You can see Search like below:
and Advanced Search as follows:
You can see the Sun Alerts at
http://sunsolve.sun.com/search/document.do?assetkey=1-66-231467-1
and
http://sunsolve.sun.com/search/document.do?assetkey=1-66-236481-1
The best is to upgrade to the latest SPs as listed in above Sun Alerts.
In case you cannot upgrade right now, and need to do the workarounds for now (then upgrade later), then please remember to do workarounds for BOTH Sun Alerts, e.g.
for Search,
"
4. Workaround
To work around the described issue, edit the default search web
application file named "index.jsp" which is located at
"<WS-install>/lib/webapps/search/index.jsp" to remove the line containing the text
"out.println(s);".
"
and for Advanced Search,
"
4. Workaround
The following file can be edited to workaround this issue:
root>/bin/https/webapps/search/advanced.jsp
by removing the following lines:
<input type=hidden name="next"
value="<%=rquest.getParameter("next"
"out.println(s);"
"
I saw some only do one, but not the other. So, try to write this here , so you know you need to do BOTH Sun Alerts.
|
|
|
|
Tags: advanced alerts cross-site scripting search security sun vulnerability xss
