Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

CacheFlow CacheOS Cross-site Scripting Vulnerability

From: "T.Suzuki" <tss () sccs chukyo-u ac jp>
Date: Thu, 25 Jul 2002 07:49:33 +0900
------------------------------------------------
CacheFlow CacheOS Cross-site Scripting Vulnerability
----------------------------------------------


Vulnerable Product
================

CacheFlow CacheOS

CA 4.1.06 and earlier.
 confirmed by
  CA 3.1.17, Release ID: 15403
  CA 4.0.14, Release ID: 17085
  CA 4.1.06, Release ID: 17757

unvulnerable: CacheOS V4.1.07
 (2002/07/15 Release)

Problems
===========

  CacheFlow neglect to escape the characters such as "<",">","&" in the path
  in the "unresolve" error messages, and pass the message to the browsers as
  HTML.
  
Impact
===========

  Browsers using vulnerable CacheFlow may send the private cookies to the
 attacker by the evil code such as
   http://dummy.example.com/<script>EVIL CODE</script> .

example
===========

Type 
http://nonexistent.example.com/<s>test</s>

Error

Problem Report
The system detected an Unresolved Host Name while attempting to retrieve
the URL: http://nonexistent.example.com/test. <- strike through on test
Message ID
UNRESOLVED_HOSTNAME

Solution
==========
A. Make safe custom error pages
B. Update to CacheOS V4.1.07

Reference
===========
http://download.cacheflow.com/release/CA/4.1.00-docs/CACacheOS41fixes.htm

--
T.Suzuki
  Reflection Inc. / Chukyo University
Previous By Date Next
Previous By Thread Next

Current thread: