Symantec Norton Internet Security Blocked Site XSS

2003-10-27T04:50:34
ID OSVDB:2714
Type osvdb
Reporter OSVDB
Modified 2003-10-27T04:50:34

Description

Vulnerability Description

Norton Internet Security 2003 and 2004 contain a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user input when a URL is included in a blocked site error message upon submission. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Norton has released a patch to address this vulnerability.

Short Description

Norton Internet Security 2003 and 2004 contain a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user input when a URL is included in a blocked site error message upon submission. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor Specific Advisory URL Secunia Advisory ID:10067 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-10/0260.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-10/0289.html ISS X-Force ID: 13528 Generic Informational URL: http://www.digitalpranksters.com/advisories/symantec/InternetSec2003.html Bugtraq ID: 8904