Cherokee Error Page Cross Site Scripting Vulnerability
BID:9496
Info
Cherokee Error Page Cross Site Scripting Vulnerability
| Bugtraq ID: | 9496 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 26 2004 12:00AM |
| Updated: | Jan 26 2004 12:00AM |
| Credit: | Discovery of this issue has been credited to César Fernández. |
| Vulnerable: |
Cherokee Cherokee HTTPD 0.4.7 Cherokee Cherokee HTTPD 0.4.6 Cherokee Cherokee HTTPD 0.2.7 Cherokee Cherokee HTTPD 0.2.6 Cherokee Cherokee HTTPD 0.2.5 Cherokee Cherokee HTTPD 0.2 Cherokee Cherokee HTTPD 0.1.6 Cherokee Cherokee HTTPD 0.1.5 Cherokee Cherokee HTTPD 0.1 |
| Not Vulnerable: |
Cherokee Cherokee HTTPD 0.4.8 |
Discussion
Cherokee Error Page Cross Site Scripting Vulnerability
Cherokee has been reported to contain a cross-site scripting vulnerability via error pages.
An attacker can exploit this issue by crafting a URI link containing the malevolent HTML or script code, and enticing a user to follow it. The attacker-supplied code may be rendered in the web browser of a user who follows the malicious link. Exploitation of this issue may allow for theft of cookie-based authentication credentials or other attacks.
Cherokee has been reported to contain a cross-site scripting vulnerability via error pages.
An attacker can exploit this issue by crafting a URI link containing the malevolent HTML or script code, and enticing a user to follow it. The attacker-supplied code may be rendered in the web browser of a user who follows the malicious link. Exploitation of this issue may allow for theft of cookie-based authentication credentials or other attacks.
Exploit / POC
Cherokee Error Page Cross Site Scripting Vulnerability
The following proof of concept has been provided.
http://www.example.com/<script>alert(document.cookie)</script>
The following proof of concept has been provided.
http://www.example.com/<script>alert(document.cookie)</script>
Solution / Fix
Cherokee Error Page Cross Site Scripting Vulnerability
Solution:
The vendor has provided an upgrade that has dealt with this issue.
Cherokee Cherokee HTTPD 0.4.7
Solution:
The vendor has provided an upgrade that has dealt with this issue.
Cherokee Cherokee HTTPD 0.4.7
-
Cherokee cherokee-0.4.8.tar.gz
ftp://alobbs.com/cherokee/0.4/cherokee-0.4.8.tar.gz