[26898] in bugtraq
Re: CacheFlow CacheOS Cross-site Scripting Vulnerability
daemon@ATHENA.MIT.EDU (Blue@mail.securityfocus.com,Coat@m)
Tue Sep 3 12:28:17 2002
Date: 3 Sep 2002 05:37:13 -0000
Message-ID: <20020903053713.7971.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Blue@mail.securityfocus.com, Coat@mail.securityfocus.com,
Systems@mail.securityfocus.com, Inc.Blue@mail.securityfocus.com,
Coat@mail.securityfocus.com, Systems@mail.securityfocus.com,
"Inc." <support@bluecoat.com>
To: bugtraq@securityfocus.com
In-Reply-To: <200207250749.33496@Message-id-is-important>
-----------------------------------------------------------
Blue Coat Systems (formerly CacheFlow) Cross Site Scripting Vulnerability
-----------------------------------------------------------
Blue Coat Systems thanks T. Suzuki of Reflection Inc. / Chukyo University
for the help in finding and bringing this exploit to the attention of our
support team. An excellent job was done in providing a detailed
explanation of the problem and the solution. To provide complete
clarification Blue Coat Systems Support is providing an official response
to this vulnerability.
VULNERABLE SOFTWARE VERSIONS
============================
Client Accelerators
CA 4.1.06 and earlier
Server Accelerators
SA 4.1.06 and earlier
Security Gateways
SG 2.1.02 and earlier
EXPLOIT
=======
It is possible to send HTML special characters (such as "<", ">" and
"&") to the client browser via the appliance's error pages.
IMPACT
======
Users may involuntarily invoke a client side script.
SUGGESTED SOLUTION
==================
Client Accelerators
Upgrade to CA 4.1.07 or higher
Server Accelerators
Upgrade to SA 4.1.07 or higher
Security Gateways
Upgrade to SG 2.1.03 or higher
ALTERNATIVE SOLUTION
====================
Client Accelerators
CA 3.1.XX
Upgrade the custom error pages.
Download the updated error pages file and install instructions at
http://download.cacheflow.com/release/CA/3.1.00-docs/v3.1-error-
pages.zip
CA 4.0.XX
Upgrade the custom error pages.
Download the updated error pages file and install instructions at
http://download.cacheflow.com/release/CA/4.0.00-docs/CA4-error-
pages.zip
Server Accelerators
SA 4.0.XX
Upgrade the custom error pages.
Download the updated error pages file and install instructions at
http://download.cacheflow.com/release/SA/4.0.00-docs/SA4-error-
pages.zip
Security Gateways
None
Blue Coat Systems (formerly CacheFlow) Support Department
UNITED STATES DOMESTIC: 866.362.2628
DOMESTIC/INTERNATIONAL CALLS: 408.220.2270
ASIA PACIFIC RIM: 81.3.5425.8492
EMAIL: support@bluecoat.com
