---------------------------------------------------------------------- SNS Advisory No.57 AN HTTPD Cross-site Scripting Vulnerability Problem first discovered: Wed, 23 Oct 2002 Published: Mon, 28 Oct 2002 Reference: http://www.lac.co.jp/security/english/snsadv_e/57_e.html ---------------------------------------------------------------------- Overview: --------- AN HTTPD 1.41d is prone to a Cross-site Scripting vulnerability. Details: -------- AN HTTPD shows an error page if a client sends a request containing ":" in the URI field. The problem occurs due to the fact that this URI is injected into the error page without being sanitized. Tested Versions: ---------------- AN HTTPD 1.41d Tested OS: ---------- Windows 2000 Server + SP3 Solution: --------- This problem can be eliminated by updating to AN HTTPD 1.41e. AN HTTPD 1.41e http://www.st.rim.or.jp/~nakata/httpd141e.exe Discovered by: -------------- Keigo Yamazaki Acknowledgements: ----------------- Thanks to: Mr. Akio Nakata Disclaimer: ----------- All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. ------------------------------------------------------------------ SecureNet Service(SNS) Security Advisory <snsadv@lac.co.jp> Computer Security Laboratory, LAC http://www.lac.co.jp/security/
