Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[SNS Advisory No.57] AN HTTPD Cross-site Scripting Vulnerability

From: "snsadv () lac co jp" <snsadv () lac co jp>
Date: Mon, 28 Oct 2002 17:40:23 +0900
----------------------------------------------------------------------
SNS Advisory No.57
AN HTTPD Cross-site Scripting Vulnerability

Problem first discovered: Wed, 23 Oct 2002
Published: Mon, 28 Oct 2002
Reference: http://www.lac.co.jp/security/english/snsadv_e/57_e.html
----------------------------------------------------------------------

Overview:
---------
  AN HTTPD 1.41d is prone to a Cross-site Scripting vulnerability. 

Details:
--------
  AN HTTPD shows an error page if a client sends a request containing 
  ":" in the URI field.  The problem occurs due to the fact that this 
  URI is injected into the error page without being sanitized.

Tested Versions:
----------------
  AN HTTPD 1.41d

Tested OS:
----------
  Windows 2000 Server + SP3

Solution:
---------
  This problem can be eliminated by updating to AN HTTPD 1.41e.

  AN HTTPD 1.41e
  http://www.st.rim.or.jp/~nakata/httpd141e.exe

Discovered by:
--------------
  Keigo Yamazaki

Acknowledgements:
-----------------
  Thanks to:
  Mr. Akio Nakata

Disclaimer:
-----------
  All information in these advisories are subject to change without any
  advanced notices neither mutual consensus, and each of them is released
  as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
  caused by applying those information. 

------------------------------------------------------------------
SecureNet Service(SNS) Security Advisory <snsadv () lac co jp>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/
Previous By Date Next
Previous By Thread Next

Current thread: