#686 XSS Issue

Other (206)
Morgan Todd

There is a Cross Site Scripting Issue when the action attribute is output for the form tag. Please see this PoC: http://www.example.com/awstats/awstats.pl?config=www.example.com&%22onload=%22alert(document.domain)//


  • Laurent Destailleur (Eldy)

    Logged In: YES
    Originator: NO

    A fix is available in CVS.

  • SourceForge Robot

    Logged In: YES
    Originator: NO

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

  • Aurelien Bompard

    Debian used a different fix for this for this issue, which looks more secure :
    @@ -4407,6 +4407,7 @@ sub DecodeEncodedString {
    my $stringtodecode=shift;
    $stringtodecode =~ tr/+/ /s;
    $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
    + $stringtodecode =~ s/["']//g;
    return $stringtodecode;

    Basically they are removing both types of quotes after the url-decoding. Laurent, what do you think ?

  • Laurent Destailleur (Eldy)

    I added the fix suggested by the patch in CVS (for 7.0)

  • Tim Jackson

    Tim Jackson - 2009-01-10

    So to be clear, is 6.9 secure or not? The implication seems to be that it is not, without the Debian-modified patch (which is not in 6.9). If the modified patch fixes a real hole that is exploitable then it would be good to have an update on http://awstats.sourceforge.net/awstats_security_news.php to that effect.


Log in to post a comment.