[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: awstats before 7.1 awredir.pl vulnerability
From:       Vincent Danen <vdanen () redhat ! com>
Date:       2012-10-29 18:54:58
Message-ID: 20121029185458.GL2676 () redhat ! com
[Download RAW message or body]

* [2012-10-25 23:45:13 -0600] Kurt Seifried wrote:

>On 10/25/2012 03:07 AM, Hanno Böck wrote:
>> http://awstats.sourceforge.net/docs/awstats_changelog.txt -
>> Security fix into awredir.pl
>>
>> I didn't find any more info, but please assign a CVE. (and i found
>> there were awredir issues before that got CVE-2009-5020, but I
>> think this is a different issue, at least if their changelogs are
>> correct)
>
>Please use CVE-2012-4547 for this issue.

I suspect it is this:

http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awredir.pl?r1=1.13&r2=1.14

But it's been over a year since this commit (but the last one is 8mos
old and seems to have no security relevance).

So looks to be XSS sanitization.

-- 
Vincent Danen / Red Hat Security Response Team 
[prev in list] [next in list] [prev in thread] [next in thread]