Sun One Web server flaw can run attack code

A security hole in Sun Microsystems Inc.’s Sun One and iPlanet Web servers can allow an attacker to launch a denial of service attack on the server and to run attack code of his or her choice, according to a security alert released Friday by eEye Digital Security Inc.

Using a specially formed request employing chunked transfer encoding, an attacker can cause a buffer overflow on the Web servers, which will crash them, according to a separate security alert released by Sun. This can allow an attacker to run malicious code, Sun said. Chunked transfer encoding is a feature allowing applications to maintain persistent connections without knowing the length of the expected content.

The vulnerability is remotely exploitable, meaning that an attacker who does not have physical access to the machine can launch an attack on affected systems.

The flaws affect iPlanet Web server 4.1 and Sun One Web server 6.0, according to the alerts.

Sun has released both a work around and service packs that fix the problem. Links to those downloads, as well as more information about the vulnerability, can be found at the company’s Web site at

Another vulnerability involving chunked encoding was discovered in the Apache Web server in June.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Previous article
Next article

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now