iDefense Security Advisory 06.03.08 - Remote exploitation of design error in Sun Microsystem's Java System Active Server Pages allows attackers to bypass administration server authentication mechanisms. The vulnerability exists due to improper design of the ASP application server. The administration application server exists as a stand-alone service that listens on TCP port 5102. By connecting directly to this service and making requests, attackers are able to bypass authentication mechanisms introduce by the administration HTTP server. iDefense has confirmed the existence of this vulnerability within version 4.0.2 of Sun Microsystems Inc.'s Java System Active Server Pages. Older versions are suspected to be vulnerable.
2d4b1c50109624d2045044c60d6b665894482900ea27dac1d1192bf883ed8983