OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Blue_at_mail.securityfocus.com, Coatmail.securityfocus.com, Systemsmail.security (Blue_at_mail.securityfocus.com)
Date: Tue Sep 03 2002 - 00:37:13 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) In-Reply-To: <200207250749.33496Message-id-is-important>

    -----------------------------------------------------------
    Blue Coat Systems (formerly CacheFlow) Cross Site Scripting Vulnerability
    -----------------------------------------------------------

    Blue Coat Systems thanks T. Suzuki of Reflection Inc. / Chukyo University
    for the help in finding and bringing this exploit to the attention of our
    support team. An excellent job was done in providing a detailed
    explanation of the problem and the solution. To provide complete
    clarification Blue Coat Systems Support is providing an official response
    to this vulnerability.

    VULNERABLE SOFTWARE VERSIONS
    ============================

      Client Accelerators
        CA 4.1.06 and earlier

      Server Accelerators
        SA 4.1.06 and earlier

      Security Gateways
        SG 2.1.02 and earlier

    EXPLOIT
    =======

      It is possible to send HTML special characters (such as "<", ">" and
      "&") to the client browser via the appliance's error pages.

    IMPACT
    ======

      Users may involuntarily invoke a client side script.

    SUGGESTED SOLUTION
    ==================

      Client Accelerators
        Upgrade to CA 4.1.07 or higher

      Server Accelerators
        Upgrade to SA 4.1.07 or higher

      Security Gateways
        Upgrade to SG 2.1.03 or higher

    ALTERNATIVE SOLUTION
    ====================

      Client Accelerators
        CA 3.1.XX
          Upgrade the custom error pages.
          Download the updated error pages file and install instructions at

          http://download.cacheflow.com/release/CA/3.1.00-docs/v3.1-error-
    pages.zip

        CA 4.0.XX
          Upgrade the custom error pages.
          Download the updated error pages file and install instructions at

          http://download.cacheflow.com/release/CA/4.0.00-docs/CA4-error-
    pages.zip

      Server Accelerators
        SA 4.0.XX

          Upgrade the custom error pages.
          Download the updated error pages file and install instructions at

          http://download.cacheflow.com/release/SA/4.0.00-docs/SA4-error-
    pages.zip

      Security Gateways
        None

    Blue Coat Systems (formerly CacheFlow) Support Department
    UNITED STATES DOMESTIC: 866.362.2628
    DOMESTIC/INTERNATIONAL CALLS: 408.220.2270
    ASIA PACIFIC RIM: 81.3.5425.8492
    EMAIL: supportbluecoat.com