SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  acFreeProxy Vendors:  acfreeproxy.sourceforge.net
acFreeProxy Server Input Validation Flaw Allows Remote Users to Conduct Cross-Site Scripting Attacks Against Proxy Server Users
SecurityTracker Alert ID:  1005690
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 24 2002
Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Description:  An input validation vulnerability was reported in the acFreeProxy (acFP) HTTP proxy server. A remote user can conduct cross-site scripting attacks against users of the proxy server, potentially targeted against any web site.

It is reported that the proxy server does not filter HTML code from user-supplied URLs when printing the URL in an error message. An error message may be generated if the specified host is not reachable or if some other error condition exists.

A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site specified in the URL. Because the flaw is in the proxy server (and not in any particular destination site), this can be any site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://www.hotmail.com:41997/%3CSCRIPT%3Ealert%28 document%3EURL%29%3C/SCRIPT%3E/

If the target user is configured to use the acFP proxy server, the above listed demonstration exploit URL will cause Javascript to be executed on the target user's browser.
Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with any web site (that the user would access via the proxy server), access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  No solution was available at the time of this entry.
Vendor URL:  sourceforge.net/projects/acfreeproxy/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Windows (Any)
Reported By:  "Matthew Murphy" <mattmurphy@kc.rr.com>
Message History:   None.

 Source Message Contents
Date:  Sat, 23 Nov 2002 21:04:13 -0600
From:  "Matthew Murphy" <mattmurphy@kc.rr.com>
Subject:  [Full-Disclosure] acFreeProxy Cross-Site Scripting Vulnerability/Possible DoS

 

Product Information

acFreeProxy (aka "acfp") is an HTTP/1.x proxy for Microsoft Windows
environments.  It offers caching, and several other features, and has a
plug-in format designed for extensibility.  A flaw in the product may allow
attackers to execute content across domains.

Description

The proxy server may generate an error message if given a host that it
cannot reach, or some other exceptional condition.  The error page generated
during this process does not have any input validation, and is vulnerable to
cross-site scripting.  This allows an attacker to inject code as *any site*
the victim can visit, because this problem is in the proxy, and not a
specific site.

Impact

This vulnerability is significantly more dangerous than any site-specific
flaw, as it can be exploited to read content from any domain, instead of the
limited scope of a typical cross-site scripting flaw, where the site that is
flawed is the only site that can be impacted.

Exploit

http://www.hotmail.com:41997/%3CSCRIPT%3Ealert%28document%3EURL%29%3C/SCRIPT
%3E/

If a vulnerable proxy is being run, script execution begins.

I've also found bizarre crash behavior within acfp.  When it accesses
www.hotmail.com it crashes for some reason that I have yet to isolate.  I
believe that this may have something to do with empty entities in responses.
Any ideas?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC