This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Debian used a different fix for this for this issue, which looks more secure :
@@ -4407,6 +4407,7 @@ sub DecodeEncodedString {
my $stringtodecode=shift;
$stringtodecode =~ tr/+/ /s;
$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
+ $stringtodecode =~ s/["']//g;
return $stringtodecode;
}
Basically they are removing both types of quotes after the url-decoding. Laurent, what do you think ?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
So to be clear, is 6.9 secure or not? The implication seems to be that it is not, without the Debian-modified patch (which is not in 6.9). If the modified patch fixes a real hole that is exploitable then it would be good to have an update on http://awstats.sourceforge.net/awstats_security_news.php to that effect.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Logged In: YES
user_id=96898
Originator: NO
A fix is available in CVS.
Logged In: YES
user_id=1312539
Originator: NO
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).
Debian used a different fix for this for this issue, which looks more secure :
@@ -4407,6 +4407,7 @@ sub DecodeEncodedString {
my $stringtodecode=shift;
$stringtodecode =~ tr/+/ /s;
$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
+ $stringtodecode =~ s/["']//g;
return $stringtodecode;
}
Basically they are removing both types of quotes after the url-decoding. Laurent, what do you think ?
I added the fix suggested by the patch in CVS (for 7.0)
So to be clear, is 6.9 secure or not? The implication seems to be that it is not, without the Debian-modified patch (which is not in 6.9). If the modified patch fixes a real hole that is exploitable then it would be good to have an update on http://awstats.sourceforge.net/awstats_security_news.php to that effect.