----------------------------------------------------------------------

Hardcore Disassembler / Reverse Engineer Wanted!

Want to work with IDA and BinDiff?
Want to write PoC's and Exploits?

Your nationality is not important.
We will get you a work permit, find an apartment, and offer a
relocation compensation package.

http://secunia.com/hardcore_disassembler_and_reverse_engineer/

----------------------------------------------------------------------

TITLE:
Sun Java System Application Server / Web Server File Disclosure

SECUNIA ADVISORY ID:
SA21251

VERIFY ADVISORY:
http://secunia.com/advisories/21251/

CRITICAL:
Moderately critical

IMPACT:
Exposure of system information, Exposure of sensitive information

WHERE:
>From remote

SOFTWARE:
Sun Java System Application Server (Sun ONE) 7.x
http://secunia.com/product/1534/
Sun Java System Application Server 8.x
http://secunia.com/product/3509/
Sun Java System Web Server (Sun ONE/iPlanet) 6.x
http://secunia.com/product/92/

DESCRIPTION:
A vulnerability has been reported in Sun Java System Application
Server (SJSAS) and Sun Java System Web Server (SJSWS), which can be
exploited by malicious people to gain knowledge of sensitive
information.

The vulnerability is caused due to an unspecified error and can be
exploited to disclose arbitrary files on the system.

SOLUTION:
Update to fixed versions.

-- SPARC Platform --

* Sun ONE Application Server 7 with Update 8 or later
* Sun Java System Application Server 7 2004 Q2 with Update 5 or
later
* Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
with (file-based) patch 119169-02 or (SVR4) patch 119166-09 or later
* Sun Java System Web Server 6.0 with Service Pack 10 or later
* Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or
later
* Sun Java System Web Server 6.1 2005 Q1 with patch 116648-18 or
later

-- x86 Platform --

* Sun ONE Application Server 7 with Update 8 or later
* Sun Java System Application Server 7 2004 Q2 with Update 5 or
later
* Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
with (file-based) patch 119170-02 or (SVR4) patch 119167-09 or later
* Sun Java System Web Server 6.0 with Service Pack 10 or later
* Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or
later
* Sun Java System Web Server 6.1 2005 Q1 with patch 116649-18 or
later

-- Linux Platform --

* Sun ONE Application Server 7 with Update 8 or later
* Sun Java System Application Server 7 2004 Q2 with Update 5 or
later
* Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
with (file-based) patch 119171-02 or (SVR4) patch 119168-09 or later
* Sun Java System Web Server 6.0 with Service Pack 10 or later
* Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or
later
* Sun Java System Web Server 6.1 2005 Q1 with patch 118202-10 or
later

-- AIX Platform --

* Sun Java System Web Server 6.0 with Service Pack 10 or later
* Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or
later

-- HP-UX Platform --

* Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
with (native) patch 121514-01 or later
* Sun Java System Web Server 6.0 with Service Pack 10 or later
* Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or
later

-- Windows Platform --

* Sun ONE Application Server 7 with Update 8 or later
* Sun Java System Application Server 7 2004 Q2 with Update 5 or
later
* Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
with (file based) patch 119172-07 or (native) patch 121528-01 or
later
* Sun Java System Web Server 6.0 with Service Pack 10 or later
* Sun Java System Web Server 6.1 2005 Q1 with Service Pack 6 or later

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102521-1

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------