Bugtraq mailing list archives
Re: CacheFlow CacheOS Cross-site Scripting Vulnerability
From: Blue () mail securityfocus com, Coat () mail securityfocus com, Systems () mail securityfocus com, Inc.Blue () mail securityfocus com, Coat () mail securityfocus com, Systems () mail securityfocus com, Inc. <support () bluecoat com>
Date: 3 Sep 2002 05:37:13 -0000
In-Reply-To: <200207250749.33496@Message-id-is-important> ----------------------------------------------------------- Blue Coat Systems (formerly CacheFlow) Cross Site Scripting Vulnerability ----------------------------------------------------------- Blue Coat Systems thanks T. Suzuki of Reflection Inc. / Chukyo University for the help in finding and bringing this exploit to the attention of our support team. An excellent job was done in providing a detailed explanation of the problem and the solution. To provide complete clarification Blue Coat Systems Support is providing an official response to this vulnerability. VULNERABLE SOFTWARE VERSIONS ============================ Client Accelerators CA 4.1.06 and earlier Server Accelerators SA 4.1.06 and earlier Security Gateways SG 2.1.02 and earlier EXPLOIT ======= It is possible to send HTML special characters (such as "<", ">" and "&") to the client browser via the appliance's error pages. IMPACT ====== Users may involuntarily invoke a client side script. SUGGESTED SOLUTION ================== Client Accelerators Upgrade to CA 4.1.07 or higher Server Accelerators Upgrade to SA 4.1.07 or higher Security Gateways Upgrade to SG 2.1.03 or higher ALTERNATIVE SOLUTION ==================== Client Accelerators CA 3.1.XX Upgrade the custom error pages. Download the updated error pages file and install instructions at http://download.cacheflow.com/release/CA/3.1.00-docs/v3.1-error- pages.zip CA 4.0.XX Upgrade the custom error pages. Download the updated error pages file and install instructions at http://download.cacheflow.com/release/CA/4.0.00-docs/CA4-error- pages.zip Server Accelerators SA 4.0.XX Upgrade the custom error pages. Download the updated error pages file and install instructions at http://download.cacheflow.com/release/SA/4.0.00-docs/SA4-error- pages.zip Security Gateways None Blue Coat Systems (formerly CacheFlow) Support Department UNITED STATES DOMESTIC: 866.362.2628 DOMESTIC/INTERNATIONAL CALLS: 408.220.2270 ASIA PACIFIC RIM: 81.3.5425.8492 EMAIL: support () bluecoat com
Current thread:
- Re: CacheFlow CacheOS Cross-site Scripting Vulnerability Blue (Sep 03)