Tuesday Jul 29, 2008
There are two such Sun Alerts for XSS, one is for Search and the other is for Advanced Search.
You can see Search like below:
and Advanced Search as follows:
You can see the Sun Alerts at
http://sunsolve.sun.com/search/document.do?assetkey=1-66-231467-1
and
http://sunsolve.sun.com/search/document.do?assetkey=1-66-236481-1
The best is to upgrade to the latest SPs as listed in above Sun Alerts.
In case you cannot upgrade right now, and need to do the workarounds for now (then upgrade later), then please remember to do workarounds for BOTH Sun Alerts, e.g.
for Search,
"
4. Workaround
To work around the described issue, edit the default search web
application file named "index.jsp" which is
located at
"<WS-install>/lib/webapps/search/index.jsp" to remove the
line containing the text
"out.println(s);".
"
and for Advanced Search,
"
4. Workaround
The following file can be edited to workaround this issue:
<install
root>/bin/https/webapps/search/advanced.jsp
by removing the following lines:
<input type=hidden name="next"
value="<%=rquest.getParameter("next"
blogs.sun.com/images/smileys/wink.gif" class="smiley" alt=";)" title=";)" />%>">
"out.println(s);"
"
I saw some only do one, but not the other. So, try to write this here , so you know you need to do BOTH Sun Alerts.
Tuesday Jun 24, 2008
For security reason, it is sometimes needed to disable TRACE method in Sun Java Web server, see
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200171-1
One common mistake is when you just cut and paste it into the telnet window for obj.conf,
"
<Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
</Client>
"
You must remove the spaces in front of <Client...> and </Client>.
Also, the long line of AuthTrans is ONE SINGLE line.
Then, you can restart and test it.
e.g. in my env,
<Object name="default">
<Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
</Client>
....
then cu can test to see TRACE is disabled, e.g.
apple:/export/home/iws6.1sp8/https-trace-1/config> telnet apple.asia 60012
Trying 129.158.175.16...
Connected to apple.asia.sun.com.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: apple.asia
HTTP/1.1 501 Not Implemented
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 24 Jun 2008 07:31:35 GMT
Content-length: 148
Content-type: text/html
Connection: close
<HTML><HEAD><TITLE>Not Implemented</TITLE></HEAD>
<BODY><H1>Not Implemented</H1>
This server does not implement the requested method.
</BODY></HTML>Connection closed by foreign host.
When we do not have the change above to disable TRACE, you will see below default response :
apple:/export/home/iws6.1sp7> telnet apple.asia 61701
Trying 129.158.175.16...
Connected to apple.asia.sun.com.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: apple.asia
HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 24 Jun 2008 07:33:50 GMT
Content-type: message/http
Transfer-encoding: chunked
0026
TRACE / HTTP/1.1
Host: apple.asia
0
I hope this above will help cu to check if their TRACE is disabled correctly after their change.
|
|
|
|
