Sun Java System Communications Express security advisory

Davey Winder
Friday, 22 May 2009 18:15

Business IT - Security

Yet another critical cross-site scripting vulnerability has been reported, this time impacting those using Sun's Java System Communications Express application.

Sun Microsystems was probably hoping that all the media attention this week would be focused on Project Vector which according to CEO Jonathan Schwartz could create the world's largest app store.

Yet things have a habit of going pear-shaped when predicting such things, just ask Google which this week has seen the press move from 30 minutes of YouTube video uploaded every second to the YouTube Porn Day scandal ending up with a breaking story concerning 5000 video clips with links to malware sites.

To be fair, the Sun situation is not quite so bad, although I am not sure that users of Sun's Java System Communications Express Web-based communications and collaboration application will see it that way.

Core Security Technologies has issued an advisory which discloses critical vulnerabilities that could potentially impact upon large numbers of end users as well as organisations using the application.

Consultants working with the company research arm, CoreLabs, have unearthed what they say are "multiple vulnerabilities" in the application which is a remote access element of Sun's Java Communications Suite. If leveraged, these could enable attackers to target users through exploiting cross-site scripting.
 
The first XSS vulnerability, resident in the product's Personal Address Book "add contact" functionality, an affected URL is accessed thru a POST request, and the flaw can then be exploited both with a GET and with a POST request. The contents of the variables involved in a potential attack are not encoded at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert JavaScript code.

The second vulnerability does not encode the contents of the URL at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert JavaScript code. This vulnerability can be exploited through a GET request, and the user does not need to be logged into the web application.

CoreLabs has alerted the Sun Security Coordination Team, and is working on a synchronised effort to create patches.

"Cross-Site Scripting bugs are popular among attackers attempting to coax Web applications into providing control of end users' Web browsers to carry out a wide range of malicious schemes" said Ivan Arce, CTO of Core Security Technologies. "It is very important that organizations take the necessary steps to ensure that the applications they build or license from third parties are not susceptible to these types of exploits."