Proxomitron Cross-site Scripting Vulnerability

From: TAKAGI, Hiromitsu (takagiat_private)
Date: Mon Jul 23 2001 - 14:05:03 PDT

Next message: NetBSD Security Officer: "NetBSD Security Advisory 2001-009: Race condition between sugid-exec and ptrace(2)"

Previous message: John Schultz: "Re: IBM TFTP Server for Java vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Proxomitron Cross-site Scripting Vulnerability
==============================================

Affected versions
=================
  Proxomitron Naoko-4 BetaFour or earlier
  http://spywaresucks.org/prox/

Problem
=======
  Accessing the following URL with the browser configured to use
  Proxomitron as a proxy,
    http://www.example.com:9999/>document.write(document.domain)</SCRIPT>
                           ---- inactive port
  it will cause Proxomitron to produce output like this:
     ========================================================
     <html><head><title>The Proxomitron Reveals...</title>
     ...
     The Proxomitron couldn't connect to...<br>
     <font color=#ffff00 size=+1 > www.example.com:9999/<SCRIPT>document.write(document.domain)</SCRIPT>
     </font><br>
     The site may be busy or the web server may be down.
     ...
     ========================================================
  and this will be shown as the following:
     ========================================================
     Error connecting to site
     The Proxomitron couldn't connect to...
     www.example.com:9999/www.example.com 
     The site may be busy or the web server may be down. 
     ========================================================
  The noteworthy point is that the JavaScript code will be executed on
  an arbitrary specified domain.
  
  Therefore, a malicious JavaScript code written by an attacker can be
  executed in the browser and the Cookies issued from an arbitrary
  specified site can be stolen.
  
  cf. The same problem was found in Squid 2.4 DEVEL4.
  <http://www.securityfocus.com/archive/1/197606>

Status
======
  Notified: 
    21 Jul 2001 05:19:22 +0900
  Fix: 
    Proxomitron Naoko-4 BetaFive
    http://spywaresucks.org/prox/beta.html
    Changes.txt:
    > BETA FIVE:
    > * Fixed a potential JavaScript exploit that could result from 
    > including HTML in a bad URL. Proxomitron's error message output
    > would echo the URL to the browser allowing the code to be
    > processed. This could let JavaScript run seemingly under that
    > URL (and might lead to cookie vulnerabilities).
    > All echoed text is now HTML escaped before being printed. 
    > (My thanks to Hiromitsu Takagi for alerting me to this).

--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/

Next message: NetBSD Security Officer: "NetBSD Security Advisory 2001-009: Race condition between sugid-exec and ptrace(2)"
Previous message: John Schultz: "Re: IBM TFTP Server for Java vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 16:55:57 PDT