Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
cross-site scripting vulnerability exists in the default error page of Macromedia’s Sitespring.
July 18, 2002
Reported July 17, 2002, by PeterGründl.
VERSION AFFECTED
Macromedia Sitespring 2.0 for Windows 2000 Server
DESCRIPTION
A cross-site scripting vulnerability exists in the default error pageof Macromedia’s Sitespring. Because the defaultHTTP 500 error script doesn't check the contents of the error ticket parameterbefore outputting it, an attacker can inject JavaScript into the URL.
VENDOR RESPONSE
Thevendor, Macromedia, hasn't released afix for this vulnerability, but affected users can work around the problem byreplacing the default HTTP 500 error page with a custom page.
CREDIT
Discovered by PeterGründl.
You May Also Like