Bug#364443: [Fwd: [CVE-2006-1945]: Cross-site scripting allows script injection in awstats 6.5 and earlier]

Wed, 26 Apr 2006 13:23:54 -0700 

Charles Fry a écrit :

Hi Eldy,

I assume that you already know about this, but I wanted to make sure.
Even better, I'd love to have a patch to fix it, so that we can patch up
Debian. :-)

thanks,
Charles

----- Forwarded message from Micah Anderson <[EMAIL PROTECTED]> -----

CVE-2006-1945 says:

Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5
and earlier allows remote attackers to inject arbitrary web script or
HTML via the config parameter.

http://pridels.blogspot.com/2006/04/awstats-65-vuln.html

This flaw exists because input passed to "config" paremeter in
"awstats.pl" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity. Also
doing XSS vuln. check attacker will get full path disclosure.



Yes i was aware.

1) For the path exposure, to fix it, you can change

           print "If not, you can run
\"$dir\tools\awstats_configure.pl\"\nfrom command line, or create it
manually.${tagbr}\n";

by

           print "If not, you can run \"awstats_configure.pl\"\nfrom
command line, or create it manually.${tagbr}\n";


2) For the XSS,i don't think it's true (I can't see how it can be true).
The full query string is in 6.5 sanitized by the line
$QueryString = CleanFromCSSA($QueryString);
meaning there is never any javascript on generated web pages coming from
url parameters. So i can't see how a user can force AWStats to build
pages that contains XSS code coming from this parameters when this
parameters can't contains < nor > absolutely required to execute javascript.
If I want to fix this "hole", i have to add the sanitizing command
$QueryString = CleanFromCSSA($QueryString); but this already done in
6.5. So i don't know how to fix this (if there is a hole). I didn't find
anywhere a way to exploit this announce.



This affects version 6.5 (build 1.857) and earlier.

----- End forwarded message -----





--
Laurent Destailleur.
---------------------------------------------------------------
EMail: [EMAIL PROTECTED]
Web: http://www.destailleur.fr
IM: IRC=Eldy, Jabber=Eldy

AWStats (Author) : http://awstats.sourceforge.net
Dolibarr (Contributor) : http//www.dolibarr.com
CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
AWBot (Author) : http://awbot.sourceforge.net

Reply via email to