Title: Inktomi Traffic Server Cross-Site Scripting Vulnerability
Severity: HIGH
Description:
Inktomi Traffic Server is a transparent web caching application. It is designed for use with Unix and Linux variants as well as Microsoft Windows operating environments.
Inktomi Traffic Server is prone to a cross-site scripting vulnerability. This is due to insufficient sanitization of input passed to the proxy, which will be echoed back in error pages under some circumstances.
It has been reported that Inktomi Traffic Server will generate errors when an open port other than 80/http is requested. The connection will time out when the request port on the remote system is closed, which will not generate an error. There is one reported exception to this. The proxy server will generate an error for requests to port 443/https regardless of whether the port is open or whether the requested host exists.
A malicious attacker could exploit this issue by creating a link which contains hostile HTML and script code and then enticing users of the proxy to visit the link. When the link is visited via the proxy, attacker-supplied script may be interpreted in the user's browser.
Exploitation could permit HTML and script code to access properties of the domain that is requested through the proxy. This could permit theft of cookie-based authentication credentials from arbitrary domains or other attacks.
Affected Products:
- Inktomi Traffic Server 4.0.18
- Inktomi Traffic Server 4.0.20
- Inktomi Traffic Server 5.1.3
- Inktomi Traffic Server 5.2.0.0-R
- Inktomi Traffic Server 5.2.1
- Inktomi Traffic Server 5.2.2
References:
- Inktomi: Inktomi Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
