[Pkg-awstats-devel] Bug#364443: [Fwd: [CVE-2006-1945]: Cross-site
scripting allows script injection in awstats 6.5 and earlier]
Charles Fry
debian at frogcircus.org
Wed Apr 26 00:34:07 UTC 2006
Hi Eldy,
I assume that you already know about this, but I wanted to make sure.
Even better, I'd love to have a patch to fix it, so that we can patch up
Debian. :-)
thanks,
Charles
----- Forwarded message from Micah Anderson <micah at debian.org> -----
CVE-2006-1945 says:
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5
and earlier allows remote attackers to inject arbitrary web script or
HTML via the config parameter.
http://pridels.blogspot.com/2006/04/awstats-65-vuln.html
This flaw exists because input passed to "config" paremeter in
"awstats.pl" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity. Also
doing XSS vuln. check attacker will get full path disclosure.
This affects version 6.5 (build 1.857) and earlier.
----- End forwarded message -----
--
The answer to
A shaver's dream
A greaseless
No brush
Shaving cream
Burma-Shave
http://burma-shave.org/jingles/1934/the_answer_to
More information about the Pkg-awstats-devel
mailing list