Jigsaw HTTP Proxy server cross-site scripting

jigsaw-http-proxy-xss (9914) The risk level is classified as MediumMedium Risk

Description:

Jigsaw is vulnerable to cross-site scripting, caused by improper filtering of URLs. If a remote attacker embeds malicious script within a URL to a hostname that cannot be resolved by the HTTP proxy, the attacker would cause an error page to be displayed containing the malicious URL, once the link is clicked. This would cause the embedded script to be executed in the victim's Web browser within the security context of the hosting site. An attacker could use this vulnerability to steal the victim's cookies or hijack Web content.


Consequences:

Gain Access

Remedy:

Upgrade to the latest version of Jigsaw (2.2.1 or later), available from the Jigsaw Web site. See References.

References:

  • BugTraq Mailing List, Sat Aug 17 2002 - 14:10:45 CDT : W3C Jigsaw Proxy Server: Cross-Site Scripting Vulnerability (REPOST).
  • Jigsaw Web site: Documentation Overview.
  • Jigsaw Web site: Jigsaw Overview.
  • BID-5506: W3C Jigsaw Proxy Server Cross-Site Scripting Vulnerability
  • CVE-2002-1053: Cross-site scripting (XSS) vulnerability in W3C Jigsaw Proxy Server before 2.2.1 allows remote attackers to execute arbitrary script via a URL that contains a reference to a nonexistent host followed by the script, which is included in the resulting error message.
  • OSVDB ID: 4015: Jigsaw HTTP Proxy Error Page XSS

Platforms Affected:

  • W3C Jigsaw 2.2.0 and prior

Reported:

Aug 17, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page