| VID |
22302 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Cherokee Web Server, according to its version number, has a cross-site scripting vulnerability via error pages.
Cherokee Web Server is a compact, open-source web server for Microsoft Windows, Linux and Unix-based operating systems. Cherokee versions prior to 0.4.8 are vulnerable to cross-site scripting attacks, due to lack of sanitization in returned error pages. A remote attacker could embed malicious script within a URL request, which would be executed in the victim's Web browser within the security context of the hosting site, once the link is clicked and an error page is returned. Exploitation of this vulnerability may allow for theft of cookie-based authentication credentials or other attacks.
* Note: This check solely relied on the version number of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://secunia.com/advisories/10701/
http://www.osvdb.org/displayvuln.php?osvdb_id=3707
* Platforms Affected:
Cherokee Development Team, Cherokee prior to 0.4.8
Unix Any version
Linux Any version |
| Recommendation |
Upgrade to the latest version of Cherokee (0.4.8 or later), available from the Cherokee Download Web page at http://www.alobbs.com/cherokee/download |
| Related URL |
CVE-2004-2171 (CVE) |
| Related URL |
9496 (SecurityFocus) |
| Related URL |
14936 (ISS) |
|
