Re: CacheFlow CacheOS Cross-site Scripting Vulnerability

[Blue@mail.securityfocus.com, Coat@mail.securityfocus.com, Systems@mail.securityfocus.com, Inc.Blue@mail.securityfocus.com, Coat@mail.securityfocus.com, Systems@mail.securityfocus.com, "Inc." <support@bluecoat.com>]

In-Reply-To: <200207250749.33496@Message-id-is-important>

-----------------------------------------------------------
Blue Coat Systems (formerly CacheFlow) Cross Site Scripting Vulnerability
-----------------------------------------------------------

Blue Coat Systems thanks T. Suzuki of Reflection Inc. / Chukyo University 
for the help in finding and bringing this exploit to the attention of our 
support team.  An excellent job was done in providing a detailed 
explanation of the problem and the solution.  To provide complete 
clarification Blue Coat Systems Support is providing an official response 
to this vulnerability.

VULNERABLE SOFTWARE VERSIONS
============================

  Client Accelerators
    CA 4.1.06 and earlier

  Server Accelerators
    SA 4.1.06 and earlier

  Security Gateways
    SG 2.1.02 and earlier


EXPLOIT
=======

  It is possible to send HTML special characters (such as "<", ">" and
  "&") to the client browser via the appliance's error pages.

IMPACT
======

  Users may involuntarily invoke a client side script.

SUGGESTED SOLUTION
==================

  Client Accelerators
    Upgrade to CA 4.1.07 or higher

  Server Accelerators
    Upgrade to SA 4.1.07 or higher

  Security Gateways
    Upgrade to SG 2.1.03 or higher

ALTERNATIVE SOLUTION
====================

  Client Accelerators
    CA 3.1.XX
      Upgrade the custom error pages.
      Download the updated error pages file and install instructions at

      http://download.cacheflow.com/release/CA/3.1.00-docs/v3.1-error-
pages.zip


    CA 4.0.XX
      Upgrade the custom error pages.
      Download the updated error pages file and install instructions at

      http://download.cacheflow.com/release/CA/4.0.00-docs/CA4-error-
pages.zip

  Server Accelerators
    SA 4.0.XX

      Upgrade the custom error pages.
      Download the updated error pages file and install instructions at

      http://download.cacheflow.com/release/SA/4.0.00-docs/SA4-error-
pages.zip

  Security Gateways
    None

Blue Coat Systems (formerly CacheFlow) Support Department
UNITED STATES DOMESTIC: 866.362.2628
DOMESTIC/INTERNATIONAL CALLS: 408.220.2270
ASIA PACIFIC RIM: 81.3.5425.8492
EMAIL: support@bluecoat.com