A malicious user could use a default error page as the basis for a cross site scripting attack.
- Macromedia Sitespring V1.2.0(277.1) on Windows 2000 Server
You can visit the vendor webpage here: http://www.macromedia.com
The vendor was notified on the 16th of April, 2002. The vendor has since removed the trial software from the webpage. To our knowledge there is no scheduled release date for a patch.
Quoted from the vendors webpage:
"We will continue to provide technical support for Sitespring through May 2004. Please continue to visit the Sitespring support center for TechNotes, white papers, and other product information. If you've purchased a technical support plan for Sitespring, we will continue to provide support pursuant to the terms of your support agreement. Even though we will not be selling annual Sitespring support packages, you can purchase incident-based support from a technical support engineer."
Replace the error script with a custom error page. If you do not know how to create a .jsp file, simply create a standard 500 error page in html, and rename it to .jsp.