#572 XSS Bug: Raw log file is not escaped when outputted as HTML

closed
nobody
None
5
2012-10-11
2006-08-13
Lenny Domnitser
No

When awstats prints a raw log, it does not properly
escape HTML (& to &, < to <). Arbitrary HTML can
be left in, for example, a User-Agent header, which can
then perform a cross site scripting attack.

Note: The version of awstats that I use is customized
by my web host. That said, I'm still pretty sure this
is an awstats bug. If it's not, I apologize.

Discussion

  • The request was closed because date is old.
    Problem might be fixed or patch may be obsolete.

    If this is not true, please resubmit the request.