SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Proxomitron Vendors:   Lemmon, Scott R.
Proxomitron Web Filtering Proxy Allows Remote Users to Conduct Cross-site Scripting Attacks and Cause Arbitrary Code to be Executed by the Proxomitron Users' Browser, Possibly Disclosing Cookies
SecurityTracker Alert ID:  1002074
SecurityTracker URL:  http://securitytracker.com/id/1002074
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 24 2001
Impact:   Disclosure of user information, Execution of arbitrary code via network

Version(s): Naoko-4 BetaFour or earlier
Description:   A cross-site scripting vulnerability was reported in the Proxomitron web filtering proxy that could allow a remote user to cause Javascript to be executed by a user of Proxomitron and the user's cookies to be disclosed.

If a user accesses the following URL while using Proxomitron as a proxy, the user's browser will execute the embedded Javascript when Proxomitron returns the URL in an error message.

http://[examplehost]:9999/<SCRIPT>document.write(document.domain)</SCRIPT>

This allows a remote user to embed malicious JavaScript code in links in an HTML page that, when loaded, will be executed in the Proxomitron users' browser. Cookies issued from an arbitrary specified site can be stolen.

Impact:   A user could create HTML that, when loaded by a Proxomitron user, would cause arbitrary Javascript to be execute by the Proxomitron user in the domain of a remote web server. This could allow the user's cookies in that domain to be disclosed to another server.
Solution:   The vendor has released Naoko-4 BetaFive, available at: http://spywaresucks.org/prox/beta.html
Vendor URL:  spywaresucks.org/prox/index.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Proxomitron Cross-site Scripting Vulnerability


Proxomitron Cross-site Scripting Vulnerability
==============================================

Affected versions
=================
  Proxomitron Naoko-4 BetaFour or earlier
  http://spywaresucks.org/prox/

Problem
=======
  Accessing the following URL with the browser configured to use
  Proxomitron as a proxy,
    http://www.example.com:9999/<SCRIPT>document.write(document.domain)</SCRIPT>
                           ---- inactive port
  it will cause Proxomitron to produce output like this:
     ========================================================
     <html><head><title>The Proxomitron Reveals...</title>
     ...
     The Proxomitron couldn't connect to...<br>
     <font color=#ffff00 size=+1 > www.example.com:9999/<SCRIPT>document.write(document.domain)</SCRIPT>
     </font><br>
     The site may be busy or the web server may be down.
     ...
     ========================================================
  and this will be shown as the following:
     ========================================================
     Error connecting to site
     The Proxomitron couldn't connect to...
     www.example.com:9999/www.example.com 
     The site may be busy or the web server may be down. 
     ========================================================
  The noteworthy point is that the JavaScript code will be executed on
  an arbitrary specified domain.
  
  Therefore, a malicious JavaScript code written by an attacker can be
  executed in the browser and the Cookies issued from an arbitrary
  specified site can be stolen.
  
  cf. The same problem was found in Squid 2.4 DEVEL4.
  <http://www.securityfocus.com/archive/1/197606>

Status
======
  Notified: 
    21 Jul 2001 05:19:22 +0900
  Fix: 
    Proxomitron Naoko-4 BetaFive
    http://spywaresucks.org/prox/beta.html
    Changes.txt:
    > BETA FIVE:
    > * Fixed a potential JavaScript exploit that could result from 
    > including HTML in a bad URL. Proxomitron's error message output
    > would echo the URL to the browser allowing the code to be
    > processed. This could let JavaScript run seemingly under that
    > URL (and might lead to cookie vulnerabilities).
    > All echoed text is now HTML escaped before being printed. 
    > (My thanks to Hiromitsu Takagi for alerting me to this).

--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC