SecurityTracker.com Archives - CacheFlow CacheOS Input Validation Flaw Allows Remote Users to Conduct Cross-site Scripting Attacks

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Questions?

Want to learn about SecurityTracker? We've got answers to frequently asked questions right here

Category: Device (Router/Bridge/Hub) > CacheOS

Vendors: CacheFlow

CacheFlow CacheOS Input Validation Flaw Allows Remote Users to Conduct Cross-site Scripting Attacks

SecurityTracker Alert ID: 1004841

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Jul 25 2002

Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Version(s): 4.1.06 and prior versions

Description: An input validation vulnerability was reported in CacheOS. A remote user can conduct cross-site scripting attacks against web browsers whose traffic is processed via a CacheFlow product.

It is reported that the system does not properly escape characters such as "<", ">", and "&" in the path of URLs that are displayed in DNS resolution error messages.

A remote user can create malcious Javascript that, when loaded by another target (victim) user, will cause arbitrary scripting code to be executed by the target user's browser. The code may be able to access the target user's cookies (including authentication cookies), if any, associated with a different site.

A demonstration exploit URL is provided:

http://[nonexistent_host]/<s>test</s>

Impact: A remote user may be able to access the target user's cookies (including authentication cookies).

Solution: The vendor has released a fixed version (4.1.07), available at:

http://download.cacheflow.com/
http://download.cacheflow.com/release/CA/4.1.00-docs/CACacheOS41fixes.htm

Vendor URL: download.cacheflow.com/release/CA/4.1.00-docs/CACacheOS41fixes.htm (Links to External Site)

Cause: Input validation error

Reported By: "T.Suzuki" <tss@sccs.chukyo-u.ac.jp>

Message History: None.

Source Message Contents

Date: Thu, 25 Jul 2002 07:49:33 +0900
From: "T.Suzuki" <tss@sccs.chukyo-u.ac.jp>
Subject: CacheFlow CacheOS Cross-site Scripting Vulnerability

 

------------------------------------------------
CacheFlow CacheOS Cross-site Scripting Vulnerability
----------------------------------------------


Vulnerable Product
================

CacheFlow CacheOS

CA 4.1.06 and earlier.
 confirmed by
  CA 3.1.17, Release ID: 15403
  CA 4.0.14, Release ID: 17085
  CA 4.1.06, Release ID: 17757

unvulnerable: CacheOS V4.1.07
 (2002/07/15 Release)

Problems
===========

  CacheFlow neglect to escape the characters such as "<",">","&"
 in the path
  in the "unresolve" error messages, and pass the message to the browsers as
  HTML.
  
Impact
===========

  Browsers using vulnerable CacheFlow may send the private cookies to the
 attacker by the evil code such as
   http://dummy.example.com/<script>EVIL CODE</script> .

example
===========

Type 
http://nonexistent.example.com/<s>test</s>

Error

Problem Report
The system detected an Unresolved Host Name while attempting to retrieve
the URL: http://nonexistent.example.com/test. <- strike through on test
Message ID
UNRESOLVED_HOSTNAME

Solution
==========
A. Make safe custom error pages
B. Update to CacheOS V4.1.07

Reference
===========
http://download.cacheflow.com/release/CA/4.1.00-docs/CACacheOS41fixes.htm

--
T.Suzuki
  Reflection Inc. / Chukyo University

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC