CacheFlow CacheOS Cross-site Scripting Vulnerability

From: T.Suzuki (tssat_private-u.ac.jp)
Date: Wed Jul 24 2002 - 15:49:33 PDT

Next message: Rasmus Bøg Hansen: "Re: Interface promiscuity obscurity in Linux"

Previous message: spam_bucketat_private: "Re: Apple OSX and iDisk and Mail.app"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

------------------------------------------------
CacheFlow CacheOS Cross-site Scripting Vulnerability
----------------------------------------------


Vulnerable Product
================

CacheFlow CacheOS

CA 4.1.06 and earlier.
 confirmed by
  CA 3.1.17, Release ID: 15403
  CA 4.0.14, Release ID: 17085
  CA 4.1.06, Release ID: 17757

unvulnerable: CacheOS V4.1.07
 (2002/07/15 Release)

Problems
===========

  CacheFlow neglect to escape the characters such as "<",">","&" in the path
  in the "unresolve" error messages, and pass the message to the browsers as
  HTML.
  
Impact
===========

  Browsers using vulnerable CacheFlow may send the private cookies to the
 attacker by the evil code such as
   http://dummy.example.com/>EVIL CODE</script> .

example
===========

Type 
http://nonexistent.example.com/>test</s>

Error

Problem Report
The system detected an Unresolved Host Name while attempting to retrieve
the URL: http://nonexistent.example.com/test. <- strike through on test
Message ID
UNRESOLVED_HOSTNAME

Solution
==========
A. Make safe custom error pages
B. Update to CacheOS V4.1.07

Reference
===========
http://download.cacheflow.com/release/CA/4.1.00-docs/CACacheOS41fixes.htm

--
T.Suzuki
  Reflection Inc. / Chukyo University

Next message: Rasmus Bøg Hansen: "Re: Interface promiscuity obscurity in Linux"
Previous message: spam_bucketat_private: "Re: Apple OSX and iDisk and Mail.app"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 24 2002 - 16:10:16 PDT