[21801] in bugtraq
Proxomitron Cross-site Scripting Vulnerability
daemon@ATHENA.MIT.EDU (TAKAGI, Hiromitsu)
Mon Jul 23 20:10:11 2001
Date: Tue, 24 Jul 2001 06:05:03 +0900
From: "TAKAGI, Hiromitsu" <takagi@etl.go.jp>
To: bugtraq@securityfocus.com
Message-Id: <20010724043534.4C6D.TAKAGI@etl.go.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Proxomitron Cross-site Scripting Vulnerability
==============================================
Affected versions
=================
Proxomitron Naoko-4 BetaFour or earlier
http://spywaresucks.org/prox/
Problem
=======
Accessing the following URL with the browser configured to use
Proxomitron as a proxy,
http://www.example.com:9999/<SCRIPT>document.write(document.domain)</SCRIPT>
---- inactive port
it will cause Proxomitron to produce output like this:
========================================================
<html><head><title>The Proxomitron Reveals...</title>
...
The Proxomitron couldn't connect to...<br>
<font color=#ffff00 size=+1 > www.example.com:9999/<SCRIPT>document.write(document.domain)</SCRIPT>
</font><br>
The site may be busy or the web server may be down.
...
========================================================
and this will be shown as the following:
========================================================
Error connecting to site
The Proxomitron couldn't connect to...
www.example.com:9999/www.example.com
The site may be busy or the web server may be down.
========================================================
The noteworthy point is that the JavaScript code will be executed on
an arbitrary specified domain.
Therefore, a malicious JavaScript code written by an attacker can be
executed in the browser and the Cookies issued from an arbitrary
specified site can be stolen.
cf. The same problem was found in Squid 2.4 DEVEL4.
<http://www.securityfocus.com/archive/1/197606>
Status
======
Notified:
21 Jul 2001 05:19:22 +0900
Fix:
Proxomitron Naoko-4 BetaFive
http://spywaresucks.org/prox/beta.html
Changes.txt:
> BETA FIVE:
> * Fixed a potential JavaScript exploit that could result from
> including HTML in a bad URL. Proxomitron's error message output
> would echo the URL to the browser allowing the code to be
> processed. This could let JavaScript run seemingly under that
> URL (and might lead to cookie vulnerabilities).
> All echoed text is now HTML escaped before being printed.
> (My thanks to Hiromitsu Takagi for alerting me to this).
--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/
