[Pkg-awstats-devel] Bug#364443: [CVE-2006-1945]: Cross-site
scripting allows script injection in awstats 6.5 and earlier
Micah Anderson
micah at debian.org
Sun Apr 23 14:30:33 UTC 2006
Package: awstats
Severity: important
Tags: security
CVE-2006-1945 says:
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5
and earlier allows remote attackers to inject arbitrary web script or
HTML via the config parameter.
http://pridels.blogspot.com/2006/04/awstats-65-vuln.html
This flaw exists because input passed to "config" paremeter in
"awstats.pl" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity. Also
doing XSS vuln. check attacker will get full path disclosure.
This affects version 6.5 (build 1.857) and earlier.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16+vserver
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
More information about the Pkg-awstats-devel
mailing list