Preventing Cross Site Scripting Attacks in Oracle iPlanet Webserver 7.0 (Doc ID 1457522.1)

Last updated on JULY 12, 2017

Applies to:

Oracle iPlanet Web Server - Version 7.0 and later
Information in this document applies to any platform.

Symptoms

On 7.0 version, Security:

Configure obj.conf to prevent cross site scripting by following  Oracle iPlanet Web Server 7.0.9 Administrator's Configuration File Reference Guide - Chapter 7 Controlling Access to Your Server - Preventing Cross Site Scripting Attacks (https://docs.oracle.com/cd/E19146-01/821-1828/ghyzd/index.html)

The following error might occur:

ERROR
-----------------------
[03/May/2012:11:39:56] failure (17178) ReverseProxy: for host 10.10.10.25 trying to POST /LoginSubmit.do, func_exec reports: HTTP2302: Function insert-filter aborted the request without setting the status code
[03/May/2012:11:39:56] warning (17178) ReverseProxy: for host 10.10.10.25 trying to POST /LoginSubmit.do, handle-processed reports: HTTP2230: Input function insert-filter returned an error
[03/May/2012:11:40:03] failure (17178) ReverseProxy: for host 10.10.10.25 trying to POST /LoginSubmit.do, sed-request reports: command garbled: s/(

STEPS
-----------------------
1. Insert this filter in obj.conf to prevent xss cross-site scripting attack

Input fn="insert-filter" method="POST" filter="sed-request" sed="s/(|>)/\\>/gi"

BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, users cannot setup an important security config.

Changes

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms