Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: awstats before 7.1 awredir.pl vulnerability
From: Vincent Danen <vdanen () redhat com>
Date: Mon, 29 Oct 2012 12:54:58 -0600

* [2012-10-25 23:45:13 -0600] Kurt Seifried wrote:

On 10/25/2012 03:07 AM, Hanno Böck wrote:
http://awstats.sourceforge.net/docs/awstats_changelog.txt -
Security fix into awredir.pl

I didn't find any more info, but please assign a CVE. (and i found
there were awredir issues before that got CVE-2009-5020, but I
think this is a different issue, at least if their changelogs are
correct)

Please use CVE-2012-4547 for this issue.

I suspect it is this:

http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awredir.pl?r1=1.13&r2=1.14

But it's been over a year since this commit (but the last one is 8mos
old and seems to have no security relevance).

So looks to be XSS sanitization.

--
Vincent Danen / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]