Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CacheFlow CacheOS Cross-site Scripting Vulnerability

From: Blue () mail securityfocus com, Coat () mail securityfocus com, Systems () mail securityfocus com, Inc.Blue () mail securityfocus com, Coat () mail securityfocus com, Systems () mail securityfocus com, Inc. <support () bluecoat com>
Date: 3 Sep 2002 05:37:13 -0000
In-Reply-To: <200207250749.33496@Message-id-is-important>

-----------------------------------------------------------
Blue Coat Systems (formerly CacheFlow) Cross Site Scripting Vulnerability
-----------------------------------------------------------

Blue Coat Systems thanks T. Suzuki of Reflection Inc. / Chukyo University 
for the help in finding and bringing this exploit to the attention of our 
support team.  An excellent job was done in providing a detailed 
explanation of the problem and the solution.  To provide complete 
clarification Blue Coat Systems Support is providing an official response 
to this vulnerability.

VULNERABLE SOFTWARE VERSIONS
============================

  Client Accelerators
    CA 4.1.06 and earlier

  Server Accelerators
    SA 4.1.06 and earlier

  Security Gateways
    SG 2.1.02 and earlier


EXPLOIT
=======

  It is possible to send HTML special characters (such as "<", ">" and
  "&") to the client browser via the appliance's error pages.

IMPACT
======

  Users may involuntarily invoke a client side script.

SUGGESTED SOLUTION
==================

  Client Accelerators
    Upgrade to CA 4.1.07 or higher

  Server Accelerators
    Upgrade to SA 4.1.07 or higher

  Security Gateways
    Upgrade to SG 2.1.03 or higher

ALTERNATIVE SOLUTION
====================

  Client Accelerators
    CA 3.1.XX
      Upgrade the custom error pages.
      Download the updated error pages file and install instructions at

      http://download.cacheflow.com/release/CA/3.1.00-docs/v3.1-error-
pages.zip


    CA 4.0.XX
      Upgrade the custom error pages.
      Download the updated error pages file and install instructions at

      http://download.cacheflow.com/release/CA/4.0.00-docs/CA4-error-
pages.zip

  Server Accelerators
    SA 4.0.XX

      Upgrade the custom error pages.
      Download the updated error pages file and install instructions at

      http://download.cacheflow.com/release/SA/4.0.00-docs/SA4-error-
pages.zip

  Security Gateways
    None

Blue Coat Systems (formerly CacheFlow) Support Department
UNITED STATES DOMESTIC: 866.362.2628
DOMESTIC/INTERNATIONAL CALLS: 408.220.2270
ASIA PACIFIC RIM: 81.3.5425.8492
EMAIL: support () bluecoat com
Previous By Date Next
Previous By Thread Next

Current thread: