oss-sec mailing list archives
Re: CVE request: awstats before 7.1 awredir.pl vulnerability
From: Vincent Danen <vdanen () redhat com>
Date: Mon, 29 Oct 2012 12:54:58 -0600
* [2012-10-25 23:45:13 -0600] Kurt Seifried wrote:
On 10/25/2012 03:07 AM, Hanno Böck wrote:http://awstats.sourceforge.net/docs/awstats_changelog.txt - Security fix into awredir.pl I didn't find any more info, but please assign a CVE. (and i found there were awredir issues before that got CVE-2009-5020, but I think this is a different issue, at least if their changelogs are correct)Please use CVE-2012-4547 for this issue.
I suspect it is this: http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awredir.pl?r1=1.13&r2=1.14 But it's been over a year since this commit (but the last one is 8mos old and seems to have no security relevance). So looks to be XSS sanitization. --Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE request: awstats before 7.1 awredir.pl vulnerability Hanno Böck (Oct 25)
- Re: CVE request: awstats before 7.1 awredir.pl vulnerability Kurt Seifried (Oct 25)
- Re: CVE request: awstats before 7.1 awredir.pl vulnerability Vincent Danen (Oct 29)
- Re: CVE request: awstats before 7.1 awredir.pl vulnerability Kurt Seifried (Oct 25)