Oracle iPlanet Web Server 7.0.x < 7.0.15 Multiple Vulnerabilities

medium Nessus Plugin ID 59736

Synopsis

The remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version, the Oracle iPlanet Web Server (formerly Sun Java System Web Server) running on the remote host is 7.0.x prior to 7.0.15. It is, therefore, affected by the following vulnerabilities :

- Multiple cross-site scripting vulnerabilities exist due to parameter validation errors that occur when input is submitted to admingui scripts 'cchelp2/Masthead.jsp', 'version/Masthead.jsp', and 'cchelp2/Navigator.jsp'. A remote attacker, using a crafted URL, can exploit these to execute arbitrary script code in the user's browser in the context of the session between the browser and the server. (CVE-2012-0516)

- An unspecified error exists in the Web Server component that can allow denial of service attacks.
(CVE-2012-1738)

Note that Oracle states that bug 12919334 'WS7: RANGE HEADER DOS VULNERABILITY' could not be reproduced.

Solution

Upgrade to Oracle iPlanet Web Server 7.0.15 or later.

See Also

http://www.nessus.org/u?b889755f

https://docs.oracle.com/cd/E18958_01/doc.70/e18789/chapter.htm

https://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

http://www.nessus.org/u?578488bf

Plugin Details

Severity: Medium

ID: 59736

File Name: sun_java_web_server_7_0_15.nasl

Version: 1.11

Type: remote

Family: Web Servers

Published: 6/27/2012

Updated: 11/15/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.3

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:oracle:iplanet_web_server

Required KB Items: installed_sw/Oracle iPlanet Web Server/

Exploit Ease: No known exploits are available

Patch Publication Date: 4/18/2012

Vulnerability Publication Date: 4/18/2012

Reference Information

CVE: CVE-2012-0516, CVE-2012-1738

BID: 53133, 54515