Bugtraq mailing list archives
Squid cross-site scripting (Fw: Squid doesn't quote urls in error messages.)
From: "TAKAGI, Hiromitsu" <takagi () etl go jp>
Date: Wed, 18 Jul 2001 21:45:35 +0900
The following problem is not registered on the vulnerabilities database. http://www.securityfocus.com/vdb/middle.html?vendor=&title=Squid%20Web%20Proxy&version=any http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=squid Related messages: http://www.squid-cache.org/mail-archive/squid-dev/200010/0361.html http://www.squid-cache.org/mail-archive/squid-dev/200011/0051.html http://www.securityfocus.com/archive/82/142120 Fix: http://www.squid-cache.org/Versions/v2/2.4/diff-2.4.DEVEL4-2.4.PRE-STABLE.gz http://www.squid-cache.org/Versions/v2/2.3/diff-2.3.STABLE4-2.3.STABLE5.gz -- Hiromitsu Takagi, Ph.D. National Institute of Advanced Industrial Science and Technology, Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan http://www.etl.go.jp/~takagi/ Forwarded by "TAKAGI, Hiromitsu" <takagi () etl go jp> ----------------------- Original Message ----------------------- From: Lincoln Yeoh <lyeoh () POP JARING MY> To: VULN-DEV () SECURITYFOCUS COM Date: Fri, 27 Oct 2000 17:47:00 +0800 Subject: Squid doesn't quote urls in error messages. ---- Hi, I noticed that Squid 2.3.STABLE4 doesn't quote urls in error messages. For example if a user visits the following url http://www.dotcom.com/ <b>test</b> The user will get an invalid url page with test in bold. Or even more fun with: http://www.somecompany.com/<img src="http://www.mysite.com/mylogo.gif"> You can actually get a working form in such an error message! Javascript too. So it may be possible to rip out other site's cookies from browsers using this (see DKrypt's and other peoples stuff on it). Also maybe do a fake form/page :). I haven't really tried it myself, and so I can't confirm if it really works (that's why it's in VULN-DEV ;) ). Cheerio, Link. --------------------- Original Message Ends --------------------
Current thread:
- Squid cross-site scripting (Fw: Squid doesn't quote urls in error messages.) TAKAGI, Hiromitsu (Jul 18)
- <Possible follow-ups>
- Re: Squid cross-site scripting (Fw: Squid doesn't quote urls in error messages.) Rude Yak (Jul 19)