Several server applications are vulnerable to such an technique via various default error pages.
The victim will be presented with information which the compromised site did not wish their visitors to be subjected. This vulnerability could be used to "sniff" sensitive data from within the web page, including passwords, credit card numbers, and any arbitrary information the user inputs.
Upgrade to Resin 1.2.4 which was released with the fix on April 11, 2001.
Our thanks to Hiromitsu Takagi, who discovered this instance of the cross-site scripting vulnerability and to Scott Ferguson, of Caucho Technologies, for his technical assistance.
|Date First Published:||2001-07-27|
|Date Last Updated:||2001-07-30 18:56 UTC|