Bug#365909: Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability
exists also with the 'diricons' parameter
Martin Schulze
joey at infodrom.org
Fri May 12 16:34:46 UTC 2006
Hendrik Weimer wrote:
> Martin Schulze <joey at infodrom.org> writes:
>
> > Umh... but since the query_string is already sanitised globally
> > how can XSS still happen? Was the sanitising not sucessful?
>
> AFAICS the query_string is not being decoded first. Therefore, a '>'
> encoded as %3E will slip through. Version 6.5-2 contains the proper
> fix.
It does. I understand now.
Regards,
Joey
--
It's time to close the windows.
Please always Cc to me when replying to me on the lists.
More information about the Pkg-awstats-devel
mailing list