Menu
▾
▴
#686 XSS Issue
There is a Cross Site Scripting Issue when the action attribute is output for the form tag. Please see this PoC: http://www.example.com/awstats/awstats.pl?config=www.example.com&%22onload=%22alert(document.domain)//
Logged In: YES
user_id=96898
Originator: NO
A fix is available in CVS.
Logged In: YES
user_id=1312539
Originator: NO
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).
Debian used a different fix for this for this issue, which looks more secure :
@@ -4407,6 +4407,7 @@ sub DecodeEncodedString {
my $stringtodecode=shift;
$stringtodecode =~ tr/+/ /s;
$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
+ $stringtodecode =~ s/["']//g;
return $stringtodecode;
}
Basically they are removing both types of quotes after the url-decoding. Laurent, what do you think ?
I added the fix suggested by the patch in CVS (for 7.0)
So to be clear, is 6.9 secure or not? The implication seems to be that it is not, without the Debian-modified patch (which is not in 6.9). If the modified patch fixes a real hole that is exploitable then it would be good to have an update on http://awstats.sourceforge.net/awstats_security_news.php to that effect.