------------------------------------------------ CacheFlow CacheOS Cross-site Scripting Vulnerability ---------------------------------------------- Vulnerable Product ================ CacheFlow CacheOS CA 4.1.06 and earlier. confirmed by CA 3.1.17, Release ID: 15403 CA 4.0.14, Release ID: 17085 CA 4.1.06, Release ID: 17757 unvulnerable: CacheOS V4.1.07 (2002/07/15 Release) Problems =========== CacheFlow neglect to escape the characters such as "<",">","&" in the path in the "unresolve" error messages, and pass the message to the browsers as HTML. Impact =========== Browsers using vulnerable CacheFlow may send the private cookies to the attacker by the evil code such as http://dummy.example.com/<script>EVIL CODE</script> . example =========== Type http://nonexistent.example.com/<s>test</s> Error Problem Report The system detected an Unresolved Host Name while attempting to retrieve the URL: http://nonexistent.example.com/test. <- strike through on test Message ID UNRESOLVED_HOSTNAME Solution ========== A. Make safe custom error pages B. Update to CacheOS V4.1.07 Reference =========== http://download.cacheflow.com/release/CA/4.1.00-docs/CACacheOS41fixes.htm -- T.Suzuki Reflection Inc. / Chukyo University
