CVE-2003-0413

Name of the Vulnerable Software and Affected Versions: Sun ONE Application Server version 7.0 Sun Java System Web Server version 6.1

Description: A cross-site scripting (XSS) issue exists in the webapps-simple sample application, allowing remote attackers to insert arbitrary web script or HTML via a crafted HTTP request. This request generates an "Invalid JSP file" error, which in turn inserts the attacker's text into the resulting error message.

Recommendations: For Sun ONE Application Server version 7.0, update the webapps-simple sample application to prevent the insertion of arbitrary web script or HTML. For Sun Java System Web Server version 6.1, modify the error handling mechanism to prevent the reflection of user-inputted data in error messages.