Sun Multiple Java System Request Smuggling Vulnerability

BID:21371

Info

Sun Multiple Java System Request Smuggling Vulnerability

Bugtraq ID: 21371
Class: Input Validation Error
CVE: CVE-2006-6276
Remote: Yes
Local: No
Published: Nov 30 2006 12:00AM
Updated: Feb 26 2007 11:06PM
Credit: This issue was disclosed in the referenced Sun advisory.
Vulnerable: Sun ONE Application Server 7.0 UR7 Standard Edition
Sun ONE Application Server 7.0 UR7 Standard Edition
Sun ONE Application Server 7.0 UR7 Platform Edition
Sun ONE Application Server 7.0 UR6 Standard Edition
Sun ONE Application Server 7.0 UR6 Platform Edition
Sun ONE Application Server 7.0 UR2 Upgrade Standard
Sun ONE Application Server 7.0 UR2 Upgrade Platform
Sun ONE Application Server 7.0 UR2 Standard Edition
Sun ONE Application Server 7.0 UR2 Platform Edition
Sun ONE Application Server 7.0 UR1 Standard Edition
Sun ONE Application Server 7.0 UR1 Platform Edition
Sun ONE Application Server 7.0 Update 3
Sun ONE Application Server 7.0 Standard Edition
Sun ONE Application Server 7.0 Platform Edition
Sun Java Web Proxy Server 3.6 SP7
Sun Java Web Proxy Server 3.6 SP6
Sun Java Web Proxy Server 3.6 SP5
Sun Java Web Proxy Server 3.6 SP4
Sun Java Web Proxy Server 3.6 SP3
Sun Java Web Proxy Server 3.6 SP2
Sun Java Web Proxy Server 3.6 SP1
Sun Java Web Proxy Server 3.6
Sun Java Web Proxy Server 4.0
Sun Java System Web Server 6.1 SP4
Sun Java System Web Server 6.1 SP3
Sun Java System Web Server 6.1 SP2
Sun Java System Web Server 6.1 SP1
Sun Java System Web Server 6.1
Sun Java System Web Server 6.0 SP9
Sun Java System Web Server 6.0 SP8
Sun Java System Web Server 6.0 SP7
Sun Java System Web Server 6.0 SP6
Sun Java System Web Server 6.0 SP5
Sun Java System Web Server 6.0 SP4
Sun Java System Web Server 6.0 SP3
Sun Java System Web Server 6.0 SP2
Sun Java System Web Server 6.0 SP1
Sun Java System Web Server 6.0
Sun Java System Application Server Standard Platform 8.1 2005 Q1
Sun Java System Application Server Platform Edition 8.1 2005 Q1 UR1
Sun Java System Application Server Platform Edition 8.1 2005 Q1
Sun Java System Application Server Enterprise Edition 8.1 2005Q1RHEL2.1/RHEL3
Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
Sun Java System Application Server Enterprise Edition 8.1 2005 Q1
Sun Java System Application Server 7.0 2004Q2 R3 Standard
Sun Java System Application Server 7.0 2004Q2 R3 Enterprise
Sun Java System Application Server 7.0 2004Q2 R2 Standard
Sun Java System Application Server 7.0 2004Q2 R2 Enterprise
Sun Java System Application Server 7.0 2004Q2 R1Standard
Sun Java System Application Server 7.0 2004Q2 R1Enterprise
Sun Java System Application Server 7.0 2004Q2
Sun Java System Application Server 7 2004Q2
Not Vulnerable: Sun ONE Application Server Standard Edition 7.0.0 UR8
Sun ONE Application Server 7.0.0 UR8 Platform E
Sun Java Web Proxy Server 3.6 SP8
Sun Java Web Proxy Server 4.0 SP1
Sun Java System Web Server 6.1 SP5
Sun Java System Web Server 6.0 SP10
Sun Java System Application Server Standard 7.0.0 2004Q2 R4
Sun Java System Application Server Enterprise 7.0.0 2004Q2 R4

Discussion

Sun Multiple Java System Request Smuggling Vulnerability

Multiple Sun Java System servers are prone to an HTTP-request-smuggling attack.

This class of attack basically involves piggybacking an HTTP request inside of another HTTP request. By leveraging failures to implement the HTTP/1.1 RFC properly, this class of attack has been demonstrated to cause cache poisoning, cross-site scripting, session hijacking, and other attacks.

Exploit / POC

Sun Multiple Java System Request Smuggling Vulnerability

To exploit this issue, an attacker may use standard networking tools.

Solution / Fix

Sun Multiple Java System Request Smuggling Vulnerability

Solution:
The vendor has addressed this issue in supported versions of affected application. Please see the referenced vendor advisory for details on obtaining and applying the appropriate updates.


Sun Java System Application Server Enterprise Edition 8.1 2005 Q1

Sun Java System Application Server Platform Edition 8.1 2005 Q1

References

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report