('binary' encoding is not supported, stored as-is) Please we would like that credits of this vulnerability go to INFOHACKING (Hugo Vázquez Caramés and Toni Cortés Martinez). Actually we work at "Secdor R&D". The vulnerabily was found, once again, during a pen-test. ###################################################################### INKTOMI Traffic-Server XSS ###################################################################### We have just discovered a bug in a software called "Inktomi Traffic- Server", this is a proxy cache server used by Large ISPs and Backbone Providers to increase speed of web surfing. The software seems to have been adquired by WebSense,but there's not too much public info about this. We don`t know who is responsabile for this software. THE PROBLEM (Tested on Traffic-Server 5.5.1 used by Telefónica in Spain) A special request by a client passing through the Inktomi Traffic-Server causes an error page generated by the proxy. This dinamic error page is vulnerable to Cross Site Scriptting... The really important thing is that the client making the request IS UNABLE to distinguish what domain generated this code... so the XSS on this proxy makes vulnerable any client going trough it. Indirectly any server whose clients come trough the Traffic-Server and using cookies to track sessions are "vulnerable". The Inktommi's Traffic-Server is used at our country (Spain) by Telefonica, friendly known as "Timofonica", but also on many other places in the world, nowadays more and more providers are using this software. Many, many people, is affected by this problem. --How to reproduce-- With a web client: 1) First you need a client that is going through a Traffic-Server. You can check it making an http TRACE request to a server that supports this method.If you see a response like this: HTTP/1.0 200 OK Date: Wed, 14 May 2003 07:31:13 GMT Server: XXXXXX Content-Type: message/http Age: 1523 TRACE / HTTP/1.0 Client-ip: XXXXXXXXXXXX X-Forwarded-For: XXXXXXXXXXXX Connection: keep-alive Via: HTTP/1.0 proxy[AC1EF246] (Traffic-Server/5.5.1-58900 [uSc ]) Host: XXXXXXXXXXXX your http traffic is being proxyfied by a Traffic-Server. Configure this client to use a proxy* (any IP on port 80) on the other side of the Traffic-Server. *(It is not necessary that the proxy exists: the request will be grapped by the Trafiic-Server) 2) Make a request like this: http://
This archive was generated by hypermail 2b30 : Wed May 14 2003 - 09:56:35 PDT