Blue Coat Systems错误页面跨站脚本攻击(XSS)漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106868 漏洞类型 跨站脚本
发布时间 2002-07-24 更新时间 2006-11-07
CVE编号 CVE-2002-1060 CNNVD-ID CNNVD-200210-048
漏洞平台 Multiple CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/21649
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200210-048
|漏洞详情
ClientAccelerator4.1.06版本,SecurityGateway2.1.02,以及ServerAccelerator4.1.06版本的BlueCoatSystems(原来的CacheFlow)存在跨站脚本攻击(XSS)漏洞。远程攻击者可以借助一个包含HTML且不存在主机名称的URL注入任意web脚本或HTML,该漏洞可以插入在产生的错误页面中。
|漏洞EXP
source: http://www.securityfocus.com/bid/5305/info

CacheOS is the firmware designed and distributed with CacheFlow web cache systems. It is maintained and distributed by CacheFlow.

User supplied data is not sanitized before being included in an unresolved host error page. An attacker may construct a link for a nonexistant subdomain of a valid site, and include malicious JavaScript. If followed, the supplied script code will execute within the context of the requested domain.

http://dummy.example.com/<script>EVIL CODE</script>
|参考资料

来源:BID
名称:5305
链接:http://www.securityfocus.com/bid/5305
来源:XF
名称:cacheos-unresolved-error-xss(9674)
链接:http://www.iss.net/security_center/static/9674.php
来源:BID
名称:5608
链接:http://www.securityfocus.com/bid/5608
来源:download.cacheflow.com
链接:http://download.cacheflow.com/release/CA/4.1.00-docs/CACacheOS41fixes.htm
来源:BUGTRAQ
名称:20020724CacheFlowCacheOSCross-siteScriptingVulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2002-07/0283.html