Full Disclosure mailing list archives
Re: iDEFENSE Security Advisory 08.09.05: AWStats
From: "iDFEENSE Labs" <labs-no-reply () idefense com>
Date: Thu, 11 Aug 2005 12:55:43 -0400
Martin, Apologies for the confusion, and thank you for bringing this to our attention. The version information was slightly off in our original advisory. The vulnerability does affect AWStats 6.4 and prior, and the flaw has been addressed in AWStats 6.5. The patch was introduced inadvertantly when all eval() calls were replaced with sane function calls in the cvs commit shown here: http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstat s.pl?r1=1.819&r2=1.820&diff_format=u The patched function in AWStats 6.5 is at lines 4925 - 4936 of the awstats.pl script: sub ShowURLInfo { my $url=shift; my $nompage=CleanFromCSSA($url); # Call to plugins' function ShowInfoURL foreach my $pluginname (keys %{$PluginsLoaded{'ShowInfoURL'}}) { # my $function="ShowInfoURL_$pluginname('$url')"; # eval("$function"); my $function="ShowInfoURL_$pluginname"; &$function($url); } The public advisory on our website has been updated and can be accessed at the following url: http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities& flashstatus=true iDEFENSE Labs _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: iDEFENSE Security Advisory 08.09.05: AWStats iDFEENSE Labs (Aug 11)