[Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681
CVE-2006-3682: multiple vulnerabilities
Alec Berryman
alec at thened.net
Thu Jul 20 02:32:54 UTC 2006
Package: awstats
Version: 6.5-2
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3681: "Multiple cross-site scripting (XSS) vulnerabilities in
awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers
to inject arbitrary web script or HTML via the (1) refererpagesfilter,
(2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5)
hostfilter, or (6) hostfilterex parameters, a different set of vectors
than CVE-2006-1945."
CVE-2006-3682: "awstats.pl in AWStats 6.5 build 1.857 and earlier allows
remote attackers to obtain the installation path via the (1) year, (2)
pluginmode or (3) month parameters."
I have not verified either vulnerability. The original advisory [1]
has sample exploits.
This is not the same as #364443 or #365909. Sarge is probably affected.
Please mention the CVEs in your changelog.
Thanks,
Alec
[1] http://pridels.blogspot.com/2006/04/awstats-65x-multiple-vuln.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEvutWAud/2YgchcQRAnO4AJkBYfNZSWE6zHKPGArOpX3eNnH9AwCfYtf7
5nTPB7EkA5xCCZLPv6xgF7I=
=AN2l
-----END PGP SIGNATURE-----
More information about the Pkg-awstats-devel
mailing list