SA28 : Cross-Site Scripting Vulnerability in ICAP Patience Page

1161

03 March 2020

29 September 2008

CLOSED

LOW

SUMMARY

The ICAP patience page (used to notify the user that a requested object is being scanned) is vulnerable to a cross-site scripting attack.

MITIGATION

Customize the "details" section of the ICAP patience page so that it does not include the $(url) substitution.

The details section can be customized using the Management Console by accessing Configuration->External Services->ICAP and selecting the "ICAP Patience Page" tab, or via the CLI from the "external-services" mode using the "inline http icap-patience details" command.

REFERENCES

Security Focus BugTraq