IBM Edge Components Caching Proxy XSS Followup

2012.07.01

Credit: BugsNotHugs

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Rapid7 probably found this vulnerability on October 23 2002
http://seclists.org/fulldisclosure/2002/Oct/330 and its called CVE-
2002-1167
They don't show the output and specify it is error message but the
injection method is the same. The update is it works on IBM Edge
Components Caching Proxy - International English Edition 6.0.2
Reproduce by request nonexistant host and seeing it reflected in error
message -
GET http://server/";<script>alert('NOHUGS')</script> HTTP/1.0

References:

http://seclists.org/fulldisclosure/2012/Jun/424

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

IBM Edge Components Caching Proxy XSS Followup

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.