Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > April 2007 > InterSystems Corporation Cache Database Sample Cache Server Page (CSP) XSS Vulnerability

April 2007

InterSystems Corporation Cache Database Sample Cache Server Page (CSP) XSS Vulnerability

ID: 107
Ref: 049/2007
Date: 04 April 2007:10:19:25
Version: 1
Title: InterSystems Corporation Cache Database Sample Cache Server Page (CSP) XSS Vulnerability
Abstract: The sample Caché Server Pages shipped with the Caché database contain a number of Cross Site Scripting vulnerabilities. These could enable an attacker to target users of a web application deployed on the same system.
Package Name: InterSystems Cache Database Vendor InterSystems Corporation
URL: http://www.intersystems.com/

Version: All Caché installations containing CSP sample files including current release.

Overview:
The sample Caché Server Pages shipped with the Caché database contain a number of Cross Site Scripting (XSS) vulnerabilities. These could enable an attacker to target users of a web application deployed on the same system.

Impact:
The impact of the vulnerability will depend on the nature of the application located on the same system as the sample code. However, the vulnerability could enable an attacker to hijack a user’s session or perform other actions under the security context the application is granted within the user’s browser.

Cause:
The affected pages do not adequately sanitise the user input that can be provided to various parameters. The hostile input is also not subject to HTML encoding when being displayed back to a user’s browser.

Interim Workaround:
Remove all sample Caché Server Pages as is described within the InterSytems system configuration documentation.

Full details are available from:
http://www.mwrinfosecurity.com/news/1658.html

______________________________________________________________________________

CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
______________________________________________________________________________

For additional information or assistance, please contact our help desk by telephone.

You may send Not Protectively Marked information via e-mail to infosec@cpni.gov.uk.

Office hours:

Mon - Fri: 09:00 - 16:30 hours
Tel: +44 (0) 870 487 0748 and follow the voice prompts
Fax: +44 (0) 870 487 0749

On-call duty officer outside office hours:
Tel: +44 (0) 870 487 0748 and follow the voice prompts

______________________________________________________________________________

CPNI wishes to acknowledge the contributions of MWR InfoSecurity for the Information contained in this advisory.
______________________________________________________________________________
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |