Hmm 4.2 is the only supported version of 4.x.
> On Sep 24, 2014, at 1:17 AM, Javier Nieto (JIRA) <[email protected]> wrote: > > Javier Nieto created TS-3095: > -------------------------------- > > Summary: Apache Traffic Server - XSS flaws due to unescaped > hostnames > Key: TS-3095 > URL: https://issues.apache.org/jira/browse/TS-3095 > Project: Traffic Server > Issue Type: Bug > Reporter: Javier Nieto > > > Hi, > > I've found a security issue in Apache Traffic Server v4.0.2 and 4.1.2. I > believe it is similar to CVE-2012-3499. > > The vulnerability is due to unescaped hostnames. > If we change the hostname in the HTTP header by HTML code, Apache Traffic > Server does not properly filter HTML code from user-supplied input before > displaying the input. A remote user can cause arbitrary scripting code to be > executed by the target user's browser. The code will originate from the site > running the Apache software and will run in the security context of that > site. As a result, the code will be able to access the target user's cookies > (including authentication cookies), if any, associated with the site, access > data recently submitted by the target user via web form to the site, or take > actions on the site acting as the target user. > > Let me show you a POC: > https://drive.google.com/file/d/0B7mOdnCWDYLBa3VQTHNjZGN0OU0/edit?usp=sharing > > I did several tests and I was able to get the user cookies by changing the > hostname (in the HTTP header) to this code <img src=x > onerror=alert(document.cookie)> > > The latest version 4.2.0 and 4.2.1 don't have this problem. I think this bug > should have a CVE in order to let the administrators to know the risk of > using this version. > > Hope to hear from you soon. > -- > Javier Nieto > > > > -- > This message was sent by Atlassian JIRA > (v6.3.4#6332)
