CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Source code bug bites Sun

Sun Microsystems is the latest software company to acknowledge being bitten by a security bug that exposes script source code.

Sun Microsystems is the latest software company to acknowledge being bitten by a security bug that exposes script source code.

The bug gained notice after its discovery last week by programmers at the San Diego Source, the online arm of a Southern California business journal. At that time, Netscape Communications and O'Reilly & Associates said that their server software was vulnerable, and both companies said they were working on patches.

Following a new report this week from the San Diego Source, Sun has said its server software is vulnerable as well.

Sun, like Netscape and O'Reilly, is describing the bug as a problem with the Windows operating system.

"This is a Microsoft problem," said Rob Clark, project lead for Sun's JavaWebServer.

The bug lets users add an extra dot to the end of a URL, and by doing so access the source code to a given page. The source code comes up because the URL with the added dot is interpreted as a text file, rather than a Web file, according to Clark.

Non-Windows operating systems will not accept a URL with that extra character.

For most Web pages, the exposure of source code does not constitute a security breach; the "page source" or "document source" command built into most browsers lets users do this as a matter of course. But trouble potentially arises when the Web pages contain scripts, whose source code is not supposed to be exposed. Scripts that interact with corporate databases could contain user names and passwords to those databases, opening companies up to a security risk.

While Sun is preparing a patch, Clark emphasized that the bug was comparatively benign and that programmers shouldn't be coding passwords into script source code anyway.

"That's a no-no," Clark said. "But if people do that, then this bug is a security hole."

Clark denied the San Diego Source's contention that server-side Java programs, known as "servlets," were vulnerable to the bug.

Process Software's Purveyor Web server product is also vulnerable to the bug, according to the San Diego Source report. Purveyor could not be reached for confirmation.

Netscape and O'Reilly today said their patches for the bug would be available later this week. Sun said its investigation of the bug was still under way, and that it would post a fix "as soon as possible."