Cross-site Scripting Vulnerability (XSS) Affecting Pages Generated with JavaDoc Tool |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Java 2 Platform, Standard Edition
|
| Bug Id : | 6490790
|
| Date of Resolved Release : | 28-JUN-2007
|
A defect in the Javadoc tool in various releases of the JDK may lead to the generation of HTML documentation pages which contain a potential cross-site scripting (XSS) vulnerability. This may allow a remote user to gain access to cookies from the website that hosts the generated documentation.
Sun acknowledges, with thanks, Martin Straka, for bringing this issue to our attention.
Contributing Factors
This issue can occur in the following releases for all platforms (Solaris, Linux, and Windows):
- JDK 5.0 Update 11 and earlier
- JDK 6
Note: The Javadoc tool included in SDK 1.4.x and earlier is not affected by this issue.
To determine the version of Java on a system, the following command can be run:
% java -version
java version "1.5.0_02-b09"
For this vulnerability to be exploited, a user must click a link (created by a malicious user) in a website or email that points to a vulnerable "index.html" documentation page. The user's cookies from the website that hosts the "index.html" documentation page may then be accessed by the malicious user.
Symptoms
There are no predictable symptoms that would indicate the described issue has been exploited.
Workaround
Please see the "Note" in the Resolution section below.
Resolution
This issue is addressed in the following releases for all platforms (Solaris, Linux, and Windows):
- JDK 5.0 Update 12 or later
- JDK 6 Update 1 or later
J2SE 5.0 Update 12 for Solaris is available in the following patches:
- J2SE 5.0: update 12 (as delivered in patch 118666-12)
- J2SE 5.0: update 12 (as delivered in patch 118667-12 (64bit))
- J2SE 5.0_x86: update 12 (as delivered in patch 118668-12)
- J2SE 5.0_x86: update 12 (as delivered in patch 118669-12 (64bit))
JDK 5.0 is available for download at the following link:
http://java.sun.com/javase/downloads/index_jdk5.jsp
Java SE 6 Update 1 for Solaris is available in the following patches:
- Java SE 6: update 1 (as delivered in patch 125136-01)
- Java SE 6: update 1 (as delivered in patch 125137-01 (64bit))
- Java SE 6_x86: update 1 (as delivered in patch 125138-01)
- Java SE 6_x86: update 1 (as delivered in patch 125139-01 (64bit))
JDK 6 is available for download at the following link:
http://java.sun.com/javase/downloads/index.jsp
Note: In order to fully resolve this issue, any "index.html" page that was generated with an affected version of the Javadoc tool must be regenerated using a Javadoc tool in one of the releases mentioned in this resolution section.
Modification HistoryDate: 03-JUL-2007
- Updated Resolution section
AttachmentsThis solution has no attachment
Sun Contracted Content
Sun Contracted Feature
