Sun Java System ASP Server < 4.0.3 Multiple Vulnerabilities

Critical Nessus Plugin ID 33440


The remote web server is affected by several vulnerabilities.


The remote host is running Sun Java System Active Server Pages (ASP), or an older variant such as Sun ONE ASP or Chili!Soft ASP.

The web server component of the installed version of Active Server Pages on the remote host is affected by several vulnerabilities :

- Several of the administration server's ASP applications fail to filter or escape user input before using it to generate commands before executing them in a shell.
While access to these applications nominally requires authentication, there are reportedly several methods of bypassing authentication (CVE-2008-2405).

- An attacker can bypass administration server authentication by connection to the application server directly and making requests. This issue does not affect ASP Server on a Windows platform (CVE-2008-2406).


Upgrade to Sun Java System ASP version 4.0.3 or later.

See Also

Plugin Details

Severity: Critical

ID: 33440

File Name: sun_asp_cmd_injection.nasl

Version: $Revision: 1.17 $

Type: remote

Family: Web Servers

Published: 2008/07/08

Modified: 2016/12/14

Dependencies: 33438

Risk Information

Risk Factor: Critical


Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 2008/06/03

Reference Information

CVE: CVE-2008-2405, CVE-2008-2406

BID: 29539, 29550

OSVDB: 46019, 46020

IAVA: 2008-A-0038

Secunia: 30523

CWE: 20, 287