[Pkg-awstats-devel] Bug#364443: [Fwd: [CVE-2006-1945]: Cross-site scripting allows script injection in awstats 6.5 and earlier]

Laurent Destailleur (Eldy) eldy at users.sourceforge.net
Wed Apr 26 19:29:25 UTC 2006 

Charles Fry a écrit :
> Hi Eldy,
>
> I assume that you already know about this, but I wanted to make sure.
> Even better, I'd love to have a patch to fix it, so that we can patch up
> Debian. :-)
>
> thanks,
> Charles
>
> ----- Forwarded message from Micah Anderson <micah at debian.org> -----
>
> CVE-2006-1945 says:
>
> Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5
> and earlier allows remote attackers to inject arbitrary web script or
> HTML via the config parameter.
>
> http://pridels.blogspot.com/2006/04/awstats-65-vuln.html
>
> This flaw exists because input passed to "config" paremeter in
> "awstats.pl" isn't properly sanitised before being returned to the user.
> This could allow a user to create a specially crafted URL that would
> execute arbitrary code in a user's browser within the trust relationship
> between the browser and the server, leading to a loss of integrity. Also
> doing XSS vuln. check attacker will get full path disclosure.
>
>   
Yes i was aware.

1) For the path exposure, to fix it, you can change

            print "If not, you can run 
\"$dir\tools\awstats_configure.pl\"\nfrom command line, or create it 
manually.${tagbr}\n";

by

            print "If not, you can run \"awstats_configure.pl\"\nfrom 
command line, or create it manually.${tagbr}\n";


2) For the XSS,i don't think it's true (I can't see how it can be true).
The full query string is in 6.5 sanitized by the line
$QueryString = CleanFromCSSA($QueryString);
meaning there is never any javascript on generated web pages coming from 
url parameters. So i can't see how a user can force AWStats to build 
pages that contains XSS code coming from this parameters when this 
parameters can't contains < nor > absolutely required to execute javascript.
If I want to fix this "hole", i have to add the sanitizing command 
$QueryString = CleanFromCSSA($QueryString); but this already done in 
6.5. So i don't know how to fix this (if there is a hole). I didn't find 
anywhere a way to exploit this announce.


> This affects version 6.5 (build 1.857) and earlier.
>
> ----- End forwarded message -----
>
>   


-- 
Laurent Destailleur.
---------------------------------------------------------------
EMail: eldy at users.sourceforge.net
Web: http://www.destailleur.fr
IM: IRC=Eldy, Jabber=Eldy

AWStats (Author) : http://awstats.sourceforge.net
Dolibarr (Contributor) : http//www.dolibarr.com
CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
AWBot (Author) : http://awbot.sourceforge.net

More information about the Pkg-awstats-devel mailing list