Synopsis :

The remote web server is affected by several cross-site
scripting vulnerabilities.

Description :

According to its self-reported version, the web server listening on
this port is a version of Oracle iPlanet Web Server (formerly Sun Java
System Web Server) 7.0 before 7.0.15. Such versions reportedly are
affected by several cross-site scripting vulnerabilities in the
following pages :

- The 'helpLogoWidth' and 'helpLogoHeight' parameters of
the page 'admingui/cchelp2/Masthead.jsp'.

- The 'productNameHeight' and 'productNameWidth'
parameters of the page 'admingui/version/Masthead.jsp'.

- The 'appName' and 'pathPrefix' parameters of the page
'admingui/cchelp2/Navigator.jsp'.

Note that Oracle states bug 12919334 'WS7: RANGE HEADER DOS
VULNERABILITY' could not be reproduced.

See also :

http://www.nessus.org/u?24cfa047
http://docs.oracle.com/cd/E18958_01/doc.70/e18789/chapter.htm
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

Solution :

Upgrade to Oracle iPlanet Web Server 7.0.15 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.2
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false