Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
AnalogX Proxy Input Validation Flaw Permits Remote Cross-Site Scripting Attacks Against Arbitrary Web Sites
|
|
SecurityTracker Alert ID: 1007566 |
|
SecurityTracker URL: http://securitytracker.com/id/1007566
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 26 2003
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 4.14
|
Description:
An input validation vulnerability was reported in the AnalogX Proxy. A remote user can conduct cross-site scripting attacks against proxy users in arbitrary domains.
It is reported that when the proxy encounters a DNS lookup failure, the proxy will display the user-requested domain name in an error message without filtering the user-supplied input.
A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The URL can be crafted so that the code will appear to originate from an arbitrary web and will run in the security context of that web site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
An example exploit URL is provided:
http://www.yahoo.com<script>alert(document.cookie)</script>
According to the report, some browsers (including Microsoft Internet Explorer) will interpret the domain of this URL to be 'www.yahoo.com'. However, the AnalogX Proxy will reportedly attempt to resolve the following as the (invalid) domain name:
www.yahoo.com<script>alert(document.cookie)</script>
|
Impact:
For target users that invoke the Proxy, a remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary web site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.analogx.com/contents/download/network/proxy.htm (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 25 Aug 2003 11:09:35 -0700 (PDT)
Subject: [Full-Disclosure] Non-Lame XSS Vulnerability - Analog-X Proxy
|
How about this for a halfway useful XSS issue,
analog-X proxy includes an HTTP proxy, when a domain
fails a DNS lookup it will return an error page with
the failed domain name in it.
OK great so we can steal cookies from any web page on
the internet providing it doesn't resolve. Not a lot
of use I hear you say. OK maybe you can take down a
nameserver long enough to steal cookies from some
site, how.... Unelegant.
But, the real trick is when you compare the URL
parsing of MSIE and AnalogX - say with a URL like....
http://www.yahoo.com<script>alert(document.cookie)</script>
well MSIE thinks that this is for the domain
www.yahoo.com, and so it uses the cookies from that
domain. However AnalogX thinks that this is for the
domain
www.yahoo.com<script>alert(document.cookie)</script>
Unless you have very fucked up DNS this won't resolve
to anything and AnalogX will return an error page
containing the script.
Now if you're a smart hacker you can create a chain of
redirects using your server and the XSS urls, bounce
the target to a whole host of urls and steal all their
cookies, find those Domains for which the user has
set low security settings and exploit these if you
like. Or whatever you want to accomplish with your
newfound global XSS prowess.
Chris Sharp
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
