Title: Sun ONE Application Server Source Disclosure Vulnerability
Severity: HIGH
Description:
Sun ONE Application Server is the application server solution distributed and maintained by Sun Microsystems. It is available for the Unix, Linux, and Microsoft platforms.
Sun ONE Application Server is prone to a source code disclosure vulnerability. This issue is due to handling of case in requests for resources. By changing the case of a file extension, the server may fail to interpret the script and instead serve it as a normal web resource. For example, if a JSP page is requested with the '.jsp' extension, it will be interpreted. However, if the same resource is requested using with an extension of '.JSP', it will not be interpreted by the server.
Script source code may contain sensitive information, such as database authentication credentials, which will be disclosed to a remote attacker if this issue is exploited.
This issue exists for Sun ONE Application Server on Microsoft Windows platforms. Previous versions may also be affected.
Affected Products:
- Sun ONE Application Server 7.0.0 Platform Edition
- Sun ONE Application Server 7.0.0 Standard Edition
- Sun ONE Application Server 7.0.0 UR1 Platform Edition
- Sun ONE Application Server 7.0.0 UR1 Standard Edition
References:
- SPI Dynamics: Multiple Vulnerabilities in Sun-One Application Server
- Sun: Sun Alert ID: 55221
- Sun: Sun ONE Application Server Homepage
- Sun: Sun[tm] ONE Web Server
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
