Technology news and Jobs 
VIRTUALISATION Sun Java System Communications Express security advisory
VIRTUALISATION Sun Java System Communications Express security advisory | Sun Java System Communications Express security advisory |
|
| by Davey Winder | |
| Saturday, 23 May 2009 | |
  
Sun Microsystems was probably hoping that all the media attention this week would be focused on Project Vector which according to CEO Jonathan Schwartz could create the world's largest app store. Featured Whitepaper
5 Best Practices for Smartphone Support
To be fair, the Sun situation is not quite so bad, although I am not sure that users of Sun's Java System Communications Express Web-based communications and collaboration application will see it that way. Core Security Technologies has issued an advisory which discloses critical vulnerabilities that could potentially impact upon large numbers of end users as well as organisations using the application. Consultants working with the company research arm, CoreLabs, have unearthed what they say are "multiple vulnerabilities" in the application which is a remote access element of Sun's Java Communications Suite. If leveraged, these could enable attackers to target users through exploiting cross-site scripting. The first XSS vulnerability, resident in the product's Personal Address Book "add contact" functionality, an affected URL is accessed thru a POST request, and the flaw can then be exploited both with a GET and with a POST request. The contents of the variables involved in a potential attack are not encoded at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert JavaScript code. The second vulnerability does not encode the contents of the URL at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert JavaScript code. This vulnerability can be exploited through a GET request, and the user does not need to be logged into the web application. CoreLabs has alerted the Sun Security Coordination Team, and is working on a synchronised effort to create patches. "Cross-Site Scripting bugs are popular among attackers attempting to coax Web applications into providing control of end users' Web browsers to carry out a wide range of malicious schemes" said Ivan Arce, CTO of Core Security Technologies. "It is very important that organizations take the necessary steps to ensure that the applications they build or license from third parties are not susceptible to these types of exploits." |
Tags
| < Next story in category | Previous story in the category > |
|---|
