#686 XSS Issue

closed
Other (206)
9
2014-08-20
2008-06-23
Morgan Todd
No

There is a Cross Site Scripting Issue when the action attribute is output for the form tag. Please see this PoC: http://www.example.com/awstats/awstats.pl?config=www.example.com&%22onload=%22alert(document.domain)//

Discussion

  • Laurent Destailleur (Eldy)

    Logged In: YES
    user_id=96898
    Originator: NO

    A fix is available in CVS.

     
  • SourceForge Robot

    Logged In: YES
    user_id=1312539
    Originator: NO

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     
  • Aurelien Bompard

    Debian used a different fix for this for this issue, which looks more secure :
    @@ -4407,6 +4407,7 @@ sub DecodeEncodedString {
    my $stringtodecode=shift;
    $stringtodecode =~ tr/+/ /s;
    $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
    + $stringtodecode =~ s/["']//g;
    return $stringtodecode;
    }

    Basically they are removing both types of quotes after the url-decoding. Laurent, what do you think ?

     
  • Laurent Destailleur (Eldy)

    I added the fix suggested by the patch in CVS (for 7.0)

     
  • Tim Jackson

    Tim Jackson - 2009-01-10

    So to be clear, is 6.9 secure or not? The implication seems to be that it is not, without the Debian-modified patch (which is not in 6.9). If the modified patch fixes a real hole that is exploitable then it would be good to have an update on http://awstats.sourceforge.net/awstats_security_news.php to that effect.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks