CVE-2002-1060 in CacheOS
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in Blue Coat Systems (formerly CacheFlow) CacheOS on Client Accelerator 4.1.06, Security Gateway 2.1.02, and Server Accelerator 4.1.06 allows remote attackers to inject arbitrary web script or HTML via a URL to a nonexistent hostname that includes the HTML, which is inserted into the resulting error page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/10/2025
The vulnerability identified as CVE-2002-1060 represents a critical cross-site scripting flaw within Blue Coat Systems CacheOS software across multiple product lines including Client Accelerator 4.1.06, Security Gateway 2.1.02, and Server Accelerator 4.1.06. This vulnerability operates at the application layer and specifically targets the error handling mechanisms of the caching infrastructure. The flaw stems from inadequate input validation and sanitization of URL parameters when processing requests for nonexistent hostnames. When a remote attacker submits a malformed URL containing embedded HTML or script code to a non-existent hostname, the system fails to properly escape or filter this input before displaying it in the generated error page response. This represents a classic XSS vulnerability that falls under CWE-79 which defines the weakness of insufficient input validation and output encoding. The attack vector leverages the system's error reporting functionality as an injection point, exploiting the trust placed in the application's error page generation process.
The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to perform session hijacking, defacement of web applications, and data theft from authenticated users. When users encounter the error page containing malicious script code, the injected content executes within their browser context, potentially stealing cookies, session tokens, or other sensitive information. The vulnerability is particularly dangerous because it can be triggered through legitimate error handling scenarios that users encounter during normal browsing operations. Attackers can craft malicious URLs that appear legitimate to users, making this vector highly effective for social engineering attacks. The vulnerability aligns with ATT&CK technique T1566.001 which describes the use of malicious web content to compromise systems. The attack requires no special privileges or authentication, making it accessible to any remote user who can submit requests to the vulnerable system.
Mitigation strategies for this vulnerability must address both the immediate security gap and the underlying architectural issues. Organizations should implement comprehensive input validation and output encoding mechanisms that sanitize all user-supplied data before it can be rendered in error pages or other user-facing interfaces. The most effective immediate solution involves configuring the CacheOS system to properly escape HTML characters and filter malicious content from URL parameters. Security patches from Blue Coat Systems should be applied immediately to address the root cause, though in this case the vulnerability was discovered in 2002 and represents an older system that may no longer receive updates. Network-level protections such as web application firewalls can provide additional defense in depth, though they are not a complete solution. Organizations should also consider implementing proper error handling policies that avoid displaying raw user input in error messages, instead using generic error pages that do not contain potentially malicious content. Regular security assessments and penetration testing should verify that similar vulnerabilities do not exist in other components of the caching infrastructure, as this represents a broader class of input validation issues that can affect web applications and network infrastructure components. The vulnerability demonstrates the critical importance of proper input sanitization and output encoding in preventing XSS attacks, particularly in systems that handle user requests and generate dynamic responses.