Cherokee webserver contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate invalid URLs before they are provided to the user in an error message. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Upgrade to version 0.4.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Secunia Advisory ID: 10701
• ISS X-Force ID: 14936
• CVE ID: 2004-2171 (see also: NVD)
• Bugtraq ID: 9496
• Vendor Specific Advisory URL: http://bugs.alobbs.com/show_bug.cgi?id=29
• Generic Informational URL: http://cvs.alobbs.com/cgi-bin/cvsweb/~checkout~/cherokee/ChangeLog?rev=1.177;content-type=text%2Fplain
• Vendor URL: http://www.alobbs.com/modules.php?op=modload&name=cherokee&file=index

• César Fernández -