Package: awstats
Version: 6.5+dfsg-1
Severity: grave
Tags: security patch
Justification: user security hole
>From
>http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764
There is a Cross Site Scripting Issue when the action attribute is output
for the form tag. Please see this PoC:
http://www.example.com/awstats/awstats.pl?config=www.example.com&%22onload=%22alert(document.domain)//
This seems to affect any version below 6.9 beta.
I believe this is the fix:
http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.911
--- a/wwwroot/cgi-bin/awstats.pl 2008/04/21 21:13:28 1.910
+++ b/wwwroot/cgi-bin/awstats.pl 2008/07/27 17:41:57 1.911
@@ -4406,6 +4406,7 @@
sub DecodeEncodedString {
my $stringtodecode=shift;
$stringtodecode =~ tr/\+/ /s;
+ $stringtodecode =~ s/%22//g;
$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
return $stringtodecode;
}
@@ -4458,9 +4459,12 @@
#------------------------------------------------------------------------------
sub CleanXSS {
my $stringtoclean=shift;
+ # To avoid html tags and javascript
$stringtoclean =~ s/</</g;
$stringtoclean =~ s/>/>/g;
$stringtoclean =~ s/|//g;
+ # To avoid onload="
+ $stringtoclean =~ s/onload//g;
return $stringtoclean;
}
_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
