Bug#378960: [Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681 CVE-2006-3682: multiple vulnerabilities

Charles Fry cfry at debian.org
Thu Jul 20 03:33:15 UTC 2006 

Hi Laurent,

Can you please comment on these vulnerabilities, especially
CVE-2006-3681? Are these fixed in 6.6? When do you expect to release
6.6?

thanks,
Charles

-----Original Message-----
> From: Alec Berryman <alec at thened.net>
> Subject: [Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681
> 	CVE-2006-3682: multiple vulnerabilities
> Date: Wed, 19 Jul 2006 22:32:54 -0400
> To: Debian Bug Tracking System <submit at bugs.debian.org>
> Reply-To: Alec Berryman <alec at thened.net>, 378960 at bugs.debian.org
> 
> Package: awstats
> Version: 6.5-2
> Severity: serious
> Tags: security
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> CVE-2006-3681: "Multiple cross-site scripting (XSS) vulnerabilities in
> awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers
> to inject arbitrary web script or HTML via the (1) refererpagesfilter,
> (2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5)
> hostfilter, or (6) hostfilterex parameters, a different set of vectors
> than CVE-2006-1945."
> 
> CVE-2006-3682: "awstats.pl in AWStats 6.5 build 1.857 and earlier allows
> remote attackers to obtain the installation path via the (1) year, (2)
> pluginmode or (3) month parameters."
> 
> I have not verified either vulnerability.  The original advisory [1]
> has sample exploits.
> 
> This is not the same as #364443 or #365909.  Sarge is probably affected.
> 
> Please mention the CVEs in your changelog.
> 
> Thanks,
> 
> Alec
> 
> [1] http://pridels.blogspot.com/2006/04/awstats-65x-multiple-vuln.html
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
> 
> iD8DBQFEvutWAud/2YgchcQRAnO4AJkBYfNZSWE6zHKPGArOpX3eNnH9AwCfYtf7
> 5nTPB7EkA5xCCZLPv6xgF7I=
> =AN2l
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Pkg-awstats-devel mailing list
> Pkg-awstats-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-awstats-devel

-- 
Unless
Your face
Is stinger free
You'd better let
Your honey be
Burma-Shave
http://burma-shave.org/jingles/1951/unless
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/attachments/20060719/d297435d/attachment.pgp

More information about the Pkg-awstats-devel mailing list