XSS Bug: Raw log file is not escaped when outputted as HTML
AWStats Log Analyzer
Brought to you by:
eldy,
manolamancha
When awstats prints a raw log, it does not properly
escape HTML (& to &, < to <). Arbitrary HTML can
be left in, for example, a User-Agent header, which can
then perform a cross site scripting attack.
Note: The version of awstats that I use is customized
by my web host. That said, I'm still pretty sure this
is an awstats bug. If it's not, I apologize.
The request was closed because date is old.
Problem might be fixed or patch may be obsolete.
If this is not true, please resubmit the request.