Sun Secure Global Desktop Software (SSGD) contains multiple cross-site scripting vulnerabilities

2006-12-13T00:00:00
ID VU:262352
Type cert
Reporter CERT
Modified 2006-12-20T15:38:00

Description

Overview

The Sun Secure Global Desktop (SSGD) contains cross-site scripting vulnerabilities.

Description

Sun Secure Global Desktop (formerly Tarantella) contains multiple input validation vulnerabilities due to failure to properly sanitize user input. The following modules do not properly filter HTML code from user input, facilitating cross-site scripting attacks:

* `taarchives.cgi`
* `ttaAuthentication.jsp`
* `ttalicense.cgi`
* `ttawlogin.cgi`
* `ttawebtop.cgi`
* `ttaabout.cgi`
* `test-cgi`

Sun states that this issue affects Sun Secure Global Desktop Software 4.2 prior to build 4.20.983 for Solaris 8 and 9 on the SPARC platform, Solaris 10 on the SPARC and x86 platforms, and the Linux platform.

Impact

A remote attacker may be able to execute arbitrary script commands in the context of a victim user. Secondary impacts include: theft of cookie information, session hijacking, and loss of data privacy between a client and the intended server.


Solution

Apply an update

Sun has addressed this vulnerability in the latest build of Sun Secure Global Desktop.


Vendor Information

262352

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Sun Microsystems, Inc. __ Affected

Updated: October 31, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Sun has issued a security document regarding this vulnerability. Please see Sun document 102650 for further details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

  • <http://sunsolve.sun.com/search/document.do?assetkey=1-26-102650-1>
  • <http://www.securityfocus.com/bid/20135>
  • <http://www.securityfocus.com/bid/20276>
  • <http://www.frsirt.com/english/advisories/2006/3739>
  • <http://securitytracker.com/id?1016900>
  • <http://secunia.com/advisories/22037>
  • <http://xforce.iss.net/xforce/xfdb/29070>
  • <http://xforce.iss.net/xforce/xfdb/29303>

Acknowledgements

This issue was reported by SUN in document 102650. Sun thanks Marc Ruef of scip AG for reporting this issue.

This document was written by Katie Steiner.

Other Information

CVE IDs: | CVE-2006-4958
---|---
Severity Metric: | 13.50
Date Public: | 2006-09-21
Date First Published: | 2006-12-13
Date Last Updated: | 2006-12-20 15:38 UTC
Document Revision: | 14