Blue Coat Systems错误页面跨站脚本攻击（XSS）漏洞

https://www.exploit-db.com/exploits/21649
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200210-048

ClientAccelerator4.1.06版本，SecurityGateway2.1.02，以及ServerAccelerator4.1.06版本的BlueCoatSystems（原来的CacheFlow）存在跨站脚本攻击（XSS）漏洞。远程攻击者可以借助一个包含HTML且不存在主机名称的URL注入任意web脚本或HTML，该漏洞可以插入在产生的错误页面中。

source: http://www.securityfocus.com/bid/5305/info

CacheOS is the firmware designed and distributed with CacheFlow web cache systems. It is maintained and distributed by CacheFlow.

User supplied data is not sanitized before being included in an unresolved host error page. An attacker may construct a link for a nonexistant subdomain of a valid site, and include malicious JavaScript. If followed, the supplied script code will execute within the context of the requested domain.

http://dummy.example.com/<script>EVIL CODE</script>

来源:BID
名称:5305
链接:http://www.securityfocus.com/bid/5305
来源:XF
名称:cacheos-unresolved-error-xss(9674)
链接:http://www.iss.net/security_center/static/9674.php
来源:BID
名称:5608
链接:http://www.securityfocus.com/bid/5608
来源:download.cacheflow.com
链接:http://download.cacheflow.com/release/CA/4.1.00-docs/CACacheOS41fixes.htm
来源:BUGTRAQ
名称:20020724CacheFlowCacheOSCross-siteScriptingVulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2002-07/0283.html