| VID |
22241 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The thttpd HTTP server has a cross-site scripting vulnerability in 404 error page. thttpd, developed by Acme Labs, is free Web server daemon available for most Unix-based operating systems. thttpd version 2.20b and possibly other versions fail to check URLs for the presence of script commands when generating error pages. A remote attacker could create a specially-crafted URL link containing malicious script, which would cause an error message to be displayed and the script to be executed in the victim's Web browser within the security context of the hosted site, once the link is clicked.
* References:
http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0155.html
* Platforms Affected:
thttpd 2.20b
thttpd 2.20c
Unix Any version
Linux Any version |
| Recommendation |
No patch available for this flaw. Upgrade to the latest version of thttpd (2.24 or later), available from the thttpd Web site at http://www.acme.com/software/thttpd/ |
| Related URL |
CVE-2002-0733 (CVE) |
| Related URL |
4601 (SecurityFocus) |
| Related URL |
9029 (ISS) |
|
