Sun ONE Application Server 7.0 for Windows 2000 and XP contains multiple vulnerabilities that can allow remote attackers to view source code, perform cross-site scripting attacks, and view sensitive files.
The first vulnerability may allow a remote attacker to view a JSP application's source code by changing the case of the .jsp extension in the HTTP request. Because of the porting of case-sensitive Unix code to Windows, which is not case-sensitive, the server only properly processes the request if it ends in .jsp. If it ends in .JSP, the JSP engine returns the source file.
The second vulnerability may allow a cross-site scripting attack during the processing of a Java application. If an error occurs
during the processing of a malformed request, the malicious request is returned in the response. This may allow a remote attacker to inject scripts into the query string that can execute when the response is received.
The third vulnerability may allow a remote attacker to gain access to files containing sensitive information. When Sun ONE Application Server is installed on Windows 2000, it is installed in the C:\Sun directory by default. Files created in this directory have world-readable permissions. An attacker could gain access to the sensitive files located in this directory, one of which contains the username and password to the administrative server.
Updated packages are available.