Proxy error messages crossite scripting updated since 27.10.2000
Published:		20.08.2002
Source:		VULN-DEV
SecurityVulns ID:		668
Type:		client
Level:		6/10
Description:		In error message URL is not escaped, it makes it possible to inject javascript into URL.

Affected:		SQUID : squid 2.4
		W3C : Jigsaw 2.2
		CERN : CERN HTTPD 3.0

Original document		TAKAGI, Hiromitsu, W3C Jigsaw Proxy Server: Cross-Site Scripting Vulnerability (REPOST) (20.08.2002)
		TAKAGI, Hiromitsu, CERN Proxy Server: Cross-Site Scripting Vulnerability (16.08.2002)
		3APA3A, Re: Squid doesn't quote urls in error messages. (27.10.2000)
		Lincoln Yeoh, Squid doesn't quote urls in error messages. (27.10.2000)

Discuss:

Read or add your comments to this news (0 comments)