Bugtraq mailing list archives
Proxomitron Cross-site Scripting Vulnerability
From: "TAKAGI, Hiromitsu" <takagi () etl go jp>
Date: Tue, 24 Jul 2001 06:05:03 +0900
Proxomitron Cross-site Scripting Vulnerability ============================================== Affected versions ================= Proxomitron Naoko-4 BetaFour or earlier http://spywaresucks.org/prox/ Problem ======= Accessing the following URL with the browser configured to use Proxomitron as a proxy, http://www.example.com:9999/<SCRIPT>document.write(document.domain)</SCRIPT> ---- inactive port it will cause Proxomitron to produce output like this: ======================================================== <html><head><title>The Proxomitron Reveals...</title> ... The Proxomitron couldn't connect to...<br> <font color=#ffff00 size=+1 > www.example.com:9999/<SCRIPT>document.write(document.domain)</SCRIPT> </font><br> The site may be busy or the web server may be down. ... ======================================================== and this will be shown as the following: ======================================================== Error connecting to site The Proxomitron couldn't connect to... www.example.com:9999/www.example.com The site may be busy or the web server may be down. ======================================================== The noteworthy point is that the JavaScript code will be executed on an arbitrary specified domain. Therefore, a malicious JavaScript code written by an attacker can be executed in the browser and the Cookies issued from an arbitrary specified site can be stolen. cf. The same problem was found in Squid 2.4 DEVEL4. <http://www.securityfocus.com/archive/1/197606> Status ====== Notified: 21 Jul 2001 05:19:22 +0900 Fix: Proxomitron Naoko-4 BetaFive http://spywaresucks.org/prox/beta.html Changes.txt: > BETA FIVE: > * Fixed a potential JavaScript exploit that could result from > including HTML in a bad URL. Proxomitron's error message output > would echo the URL to the browser allowing the code to be > processed. This could let JavaScript run seemingly under that > URL (and might lead to cookie vulnerabilities). > All echoed text is now HTML escaped before being printed. > (My thanks to Hiromitsu Takagi for alerting me to this). -- Hiromitsu Takagi, Ph.D. National Institute of Advanced Industrial Science and Technology, Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan http://www.etl.go.jp/~takagi/
Current thread:
- Proxomitron Cross-site Scripting Vulnerability TAKAGI, Hiromitsu (Jul 23)