[NT] DeleGate Cross Site Scripting Vulnerability
From: support@securiteam.comDate: 01/04/02
- Previous message: support@securiteam.com: "[EXPL] AIM Buffer Overflow Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 4 Jan 2002 18:14:18 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
DeleGate Cross Site Scripting Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.delegate.org/delegate/> DeleGate, a multifunctional Proxy
server program, contains a vulnerability related to a cross-site
scripting.
DETAILS
Vulnerable systems:
DeleGate version 7.7.1
DeleGate version 7.7.0
Immune systems:
DeleGate version 7.8.0
DeleGate, a multifunctional Proxy server program, is prone to a cross-site
scripting vulnerability under the following specific conditions:
* When there is an URL that displays the error message "403 Forbidden"
* When the administrator displays his/her own configured error message
using the MOUNT option
The configuration that complies with these conditions will result in
Solution:
ADDITIONAL INFORMATION
The information has been provided by <mailto:snsadv@lac.co.jp> Satoshi
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
automatic execution of JavaScript code on the Web user's browser, if the
attacker makes the following link, and the user clicks it:
http://IP_Address_of_DeleGate/
This problem can be eliminated by upgrading to DeleGate/7.8.0, which is
available at the following URL:
<http://www.delegate.org/delegate/> http://www.delegate.org/delegate/
ISHIZUKA (LAC) and <mailto:snsadv@lac.co.jp> Keigo YAMAZAKI (LAC).
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A security vulnerability
in the product allows ... the members page, this CSS vulnerability will take effect. ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A security vulnerability
in the product allows attackers to get access to ... In no event shall we be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business profits or special
damages. ... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... exploitable denial of service
vulnerability has been found in the product ... * VisNetic ActiveDefense version 1.3.1
and early ... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at
the SecuriTeam web site: http://www.securiteam.com ... Get your security news from
a reliable source. ... Beyond Security has discovered a security vulnerability in ...
Zaep AntiSpam 2.0, ... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Internet Explorer allows
downloading of digitally signed ActiveXs directly ... To prevent such a vulnerability,
... (Securiteam)
