| VID |
21380 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The OpenCA, according to the version number, has a Web Frontend Cross-Site Scripting Vulnerability.
OpenCA is a Certification Authority security project for authenticating user credentials. OpenCA versions 0.9.1-8 and prior and 0.9.2 RC6 are vulnerable to a cross-site scripting vulnerability, caused by improper filtering of user input into a web form Frontend. By sending a malicious user-data containing embedded HTML to the web Frontends, a remote attacker could cause the embedded codes to be executed in the victim's Web browser. A remote attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
* Note: This check solely relied on the version number of the remote OpenCA on the web server to assess this vulnerability, so this might be a false positive.
* References:
http://archives.neohapsis.com/archives/bugtraq/2004-09/0047.html
http://securitytracker.com/alerts/2004/Sep/1011167.html
* Platforms Affected:
OpenCA, OpenCA 0.9.1-8 and prior
OpenCA, OpenCA 0.9.2 RC6
Any operating system Any version |
| Recommendation |
For OpenCA versions 0.9.1-8 and prior:
Upgrade to the latest version of OpenCA (0.9.1-9 or later) fixed this vulnerability, available from the OpenCA Web site at http://sourceforge.net/projects/openca/
For OpenCA version 0.9.2 RC6:
Upgrade to the latest Developers Version, available from the OpenCA Web site at http://sourceforge.net/projects/openca/ |
| Related URL |
CVE-2004-0787 (CVE) |
| Related URL |
11113 (SecurityFocus) |
| Related URL |
17274 (ISS) |
|
