[SNS Advisory No.47] DeleGate Cross Site Scripting Vulnerability
From: snsadv@lac.co.jpDate: 12/28/01
- Previous message: zedfly@hushmail.com: "RE: Dangerous information in CentraOne log files - VENDOR RESPONSE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 Dec 2001 14:17:23 +0900 From: "snsadv@lac.co.jp" <snsadv@lac.co.jp> To: bugtraq@securityfocus.com
----------------------------------------------------------------------
SNS Advisory No.47
DeleGate Cross Site Scripting Vulnerability
Problem first discovered: Wed, 26 Dec 2001
Published: Fri, 28 Dec 2001
----------------------------------------------------------------------
Overview:
---------
DeleGate, a multifunctional Proxy server program, contains a
vulnerability related to a cross site scripting.
Problem Description:
--------------------
DeleGate, a multifunctional Proxy server program, is prone to a cross
site scripting vulnerability under the following specific conditions:
* When there is an URL that displays the error message "403 Forbidden"
* When the administrator displays his/her own configured error message
using the MOUNT option
The configuration that complies with these conditions will result in
automatic execution of JavaScript code on the Web user's browser, if
the attacker makes the following link, and the user clicks it:
http://IP_Address_of_DeleGate/ Tested Versions:
Solution:
http://www.delegate.org/delegate/
Discovered by:
Disclaimer:
References:
------------------------------------------------------------------
----------------
DeleGate/7.7.1
DeleGate/7.7.0
---------
This problem can be eliminated by upgrading to DeleGate/7.8.0, which
is available at the following URL:
--------------
Satoshi ISHIZUKA (LAC)
Keigo YAMAZAKI (LAC)
-----------
All information in these advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.
-----------
Archive of this advisory:
http://www.lac.co.jp/security/english/snsadv_e/47_e.html
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
-------------------------------------------------------------------
Relevant Pages
... ExplorerXP: Directory Traversal and Cross Site Scripting ... Two vulnerabilities have been discovered in ExploreXP, ...
(Full-Disclosure)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Invision Power Board Cross Site Scripting Vulnerability ...
(Securiteam)
... Webmedia Explorer - Cross Site Scripting Vulnerability ... Webmedia Explorer is the alternative CMS engine that reads the hard disc and generates a website realtime taking advantage of a very powerful rendering and data fetching caching system. ... -- Will be executed when a user moves his mouse over a tag. ...
(Bugtraq)
... Mail.com Cross Site Scripting Vulnerability ... Sign-up for your own FREE Personalized E-mail at Mail.com ...
(Bugtraq)
... IPCop Cross Site Scripting Vulnerability in "proxylog.dat" ... Paul Kurczaba ...
(Bugtraq)
