Re: CacheFlow CacheOS Cross-site Scripting Vulnerability

From: Blueat_private, Coatat_private, Systemsat_private (Blueat_private)
Date: Mon Sep 02 2002 - 22:37:13 PDT

Next message: Woody Leonhard: "Re: Security side-effects of Word fields"

Previous message: Spyder: "Re: Outlook S/MIME Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <200207250749.33496@Message-id-is-important> ----------------------------------------------------------- Blue Coat Systems (formerly CacheFlow) Cross Site Scripting Vulnerability ----------------------------------------------------------- Blue Coat Systems thanks T. Suzuki of Reflection Inc. / Chukyo University for the help in finding and bringing this exploit to the attention of our support team. An excellent job was done in providing a detailed explanation of the problem and the solution. To provide complete clarification Blue Coat Systems Support is providing an official response to this vulnerability. VULNERABLE SOFTWARE VERSIONS ============================ Client Accelerators CA 4.1.06 and earlier Server Accelerators SA 4.1.06 and earlier Security Gateways SG 2.1.02 and earlier EXPLOIT ======= It is possible to send HTML special characters (such as "<", ">" and "&") to the client browser via the appliance's error pages. IMPACT ====== Users may involuntarily invoke a client side script. SUGGESTED SOLUTION ================== Client Accelerators Upgrade to CA 4.1.07 or higher Server Accelerators Upgrade to SA 4.1.07 or higher Security Gateways Upgrade to SG 2.1.03 or higher ALTERNATIVE SOLUTION ==================== Client Accelerators CA 3.1.XX Upgrade the custom error pages. Download the updated error pages file and install instructions at http://download.cacheflow.com/release/CA/3.1.00-docs/v3.1-error- pages.zip CA 4.0.XX Upgrade the custom error pages. Download the updated error pages file and install instructions at http://download.cacheflow.com/release/CA/4.0.00-docs/CA4-error- pages.zip Server Accelerators SA 4.0.XX Upgrade the custom error pages. Download the updated error pages file and install instructions at http://download.cacheflow.com/release/SA/4.0.00-docs/SA4-error- pages.zip Security Gateways None Blue Coat Systems (formerly CacheFlow) Support Department UNITED STATES DOMESTIC: 866.362.2628 DOMESTIC/INTERNATIONAL CALLS: 408.220.2270 ASIA PACIFIC RIM: 81.3.5425.8492 EMAIL: supportat_private

Next message: Woody Leonhard: "Re: Security side-effects of Word fields"
Previous message: Spyder: "Re: Outlook S/MIME Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 09:27:49 PDT