Secunia Security Advisory - A vulnerability has been reported in Sun Java System Delegated Administrator, which can be exploited by malicious people to conduct HTTP response splitting attacks.
8d5e4d44cc989c01ce616f9aff073b053c6b6779fde75709ca10dd7ad192c747
----------------------------------------------------------------------
Secunia is pleased to announce the release of the annual Secunia
report for 2008.
Highlights from the 2008 report:
* Vulnerability Research
* Software Inspection Results
* Secunia Research Highlights
* Secunia Advisory Statistics
Request the full 2008 Report here:
http://secunia.com/advisories/try_vi/request_2008_report/
Stay Secure,
Secunia
----------------------------------------------------------------------
TITLE:
Sun Java System Delegated Administrator "HELP_PAGE" HTTP Response
Splitting
SECUNIA ADVISORY ID:
SA34760
VERIFY ADVISORY:
http://secunia.com/advisories/34760/
DESCRIPTION:
A vulnerability has been reported in Sun Java System Delegated
Administrator, which can be exploited by malicious people to conduct
HTTP response splitting attacks.
Input passed to the "HELP_PAGE" parameter in /da/DA/Login is not
properly sanitised before being returned to the user. This can be
exploited to insert arbitrary HTTP headers, which are included in a
response sent to the user. This allows arbitrary HTML and script code
to be executed in a user's browser session in context of an affected
site.
The vulnerability is reported in Sun Java System Delegated
Administrator version 6.2, 6.3, and 6.4 for the SPARC, x86, and Linux
platform.
SOLUTION:
Update to Sun Java System Delegated Administrator version 6.4 and
apply the patches.
-- SPARC Platform --
Apply patch 121581-20 or later.
-- x86 Platform --
Apply patch 121582-20 or later.
-- Linux Platform --
Apply patch 121583-20 or later.
PROVIDED AND/OR DISCOVERED BY:
Core Security Technologies
ORIGINAL ADVISORY:
Sun #255928:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-255928-1
Core Security Technologies:
http://www.coresecurity.com/content/sun-delegated-administrator
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------