A vulnerability has been discovered in Symantec Web Security. Symantec Web Security fails to check and parse HTML tags in URLs included in error or block page messages displayed to the client, in the event of a blocked page.
Malicious scripts hidden in URLs can be executed.
Symantec Web Security 2.5, 3.0.0, and 3.0.1
An attacker can potentially include malicious scripts in the URL, which the client executes in the context of the site specified in the URL, in the event that the page is blocked.
Symantec verified that this vulnerability exists in the currently supported versions of Symantec Web Security 3.0.1. This issue is fixed in the latest release of Symantec Web Security 3.0.1, build 62.
The Symantec Web Security default block pages can be modified to not return the offending URL to the client.
Symantec takes the security and proper functionality of its products seriously. Symantec appreciates the efforts of Oliver.Karow and Brian Soby of Raytheon who independently discovered this vulnerability. Their assistance in the resolution of this vulnerability was indispensable
This is machine translated content
Login to Subscribe
Please login to set up your
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Currently server is down.
Didn't find the article you were looking for? Try these resources.