無標題文件

TW-CA-2005-075-[Sun(sm) Alert Notification #101770:Security Vulnerability in Webmail May Allow an Unprivileged User to Execute Arbitrary Code]

======================================================================

TWCERT發布日期：	2005-06-24
原漏洞發布日期：	2005-06-17
分類：	Miscellaneous
來源參考：	Sun(sm) Alert Notification #101770
通用安全弱點編號：

=========

說明

==============================================

iPlanet Messaging Server/Sun ONE Messaging Server 存在新的安全弱點，可能允許遠
端未經權授的使用者運用 JavaScript 評估本地端使用者的 IE 瀏覽器，並利用此方式以
IE 使用者的權限來執行任意程式。

注意：當客戶端瀏覽器為 IE 時，才會產生本安全議題。

=========

影響平台

==============================================

此議題可能影響下列發行版本：

SPARC 平台
‧iPlanet Messaging Server 5.2 (Solaris 2.6 與 Solaris 8)
‧Sun ONE Messaging Server 6.2 (Solaris 8、Solaris 9 和 Solaris 10)

x86 平台
‧Sun ONE Messaging Server 6.2 (Solaris 9 與 Solaris 10)

Linux 平台
‧Sun ONE Messaging Server 6.2 (RHEL 2.1 或 3.0)

注意：
1. Solaris 7 不支援 iPlanet Messaging Server 5.2。
2. x86 平台的 Solaris 7 或 Solaris 8 不支援 Sun ONE Messaging Server 6.2。

=========

修正方式

==============================================

暫時解決方法：
無暫時解決的方式。

解決方法：
最終的解決方法仍懸而未決。


=========	影響結果	====================================
目前尚無可預期的徵兆顯示上述議題已遭受利用。
附件：
===================	原文	====================================
Sun(sm) Alert Notification Sun Alert ID: 101770 Synopsis: Security Vulnerability in Webmail May Allow an Unprivileged User to Execute Arbitrary Code Category: Security Product: iPlanet Messaging Server 5.2 Patch 1, Sun Java System Messaging Server 6.2 EA Software BugIDs: 6284060 Avoidance: None State: Workaround Date Released: 17-Jun-2005 Date Closed: Date Modified: 1. Impact A new security vulnerability in the iPlanet Messaging Server/Sun ONE Messaging Server may allow a remote unprivileged user the ability to cause JavaScript to be evaluated in a local user's Internet Explorer (IE) browser and thus execute arbitrary code with the privileges of the user running IE. Note: This issue only occurs when the client browser is Internet Explorer (IE). 2. Contributing Factors This issue can occur in the following releases: SPARC Platform iPlanet Messaging Server 5.2 (for Solaris 2.6 and Solaris 8) Sun ONE Messaging Server 6.2 (for Solaris 8, Solaris 9, Solaris 10) x86 Platform Sun ONE Messaging Server 6.2 (for Solaris 9 and Solaris 10) Linux Platform Sun ONE Messaging Server 6.2 (for RHEL 2.1 or 3.0) Notes: iPlanet Messaging Server 5.2 is not supported on Solaris 7. Sun ONE Messaging Server 6.2 is not supported on Solaris 7 or Solaris 8 on the x 86 platform. 3. Symptoms There are no reliable symptoms that would indicate the described issue has been exploited. Solution Summary Top 4. Relief/Workaround This Sun Alert will be updated as more information is known. 5. Resolution A final resolution is pending completion. This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

Top to page