CacheFlow CacheOS Cross-site Scripting Vulnerability

From: T.Suzuki (tss@sccs.chukyo-u.ac.jp)
Date: 07/25/02 

From: "T.Suzuki" <tss@sccs.chukyo-u.ac.jp>
To: bugtraq@securityfocus.com
Date: Thu, 25 Jul 2002 07:49:33 +0900

------------------------------------------------
CacheFlow CacheOS Cross-site Scripting Vulnerability
----------------------------------------------

Vulnerable Product
================

CacheFlow CacheOS

CA 4.1.06 and earlier.
 confirmed by
  CA 3.1.17, Release ID: 15403
  CA 4.0.14, Release ID: 17085
  CA 4.1.06, Release ID: 17757

unvulnerable: CacheOS V4.1.07
 (2002/07/15 Release)

Problems
===========

  CacheFlow neglect to escape the characters such as "<",">","&" in the path
  in the "unresolve" error messages, and pass the message to the browsers as
  HTML.
  
Impact
===========

  Browsers using vulnerable CacheFlow may send the private cookies to the
 attacker by the evil code such as
   http://dummy.example.com/>EVIL CODE</script> .

example
===========

Type
http://nonexistent.example.com/>test</s>

Error

Problem Report
The system detected an Unresolved Host Name while attempting to retrieve
the URL: http://nonexistent.example.com/test. <- strike through on test
Message ID
UNRESOLVED_HOSTNAME

Solution
==========
A. Make safe custom error pages
B. Update to CacheOS V4.1.07

Reference
===========
http://download.cacheflow.com/release/CA/4.1.00-docs/CACacheOS41fixes.htm 

--
T.Suzuki
  Reflection Inc. / Chukyo University

Relevant Pages