Bug#378960: [Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681
CVE-2006-3682: multiple vulnerabilities
Laurent Destailleur (Eldy)
eldy at users.sourceforge.net
Fri Jul 21 23:49:03 UTC 2006
Charles Fry a écrit :
> Hi Laurent,
>
> Can you please comment on these vulnerabilities, especially
> CVE-2006-3681?
This vulnerability is true.
> Are these fixed in 6.6? When do you expect to release
> 6.6?
>
It is fixed in 6.6. I have just launched the beta start for 6.6 meanings
code in current 6.6 package will not change (except for bug corrections
found during beta).
Beta last about 2 month.
I also updated the AWStats security page to report this vulnerability code:
http://awstats.sourceforge.net/awstats_security_news.php
It is the hole #3 in this page.
> thanks,
> Charles
>
> -----Original Message-----
>
>> From: Alec Berryman <alec at thened.net>
>> Subject: [Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681
>> CVE-2006-3682: multiple vulnerabilities
>> Date: Wed, 19 Jul 2006 22:32:54 -0400
>> To: Debian Bug Tracking System <submit at bugs.debian.org>
>> Reply-To: Alec Berryman <alec at thened.net>, 378960 at bugs.debian.org
>>
>> Package: awstats
>> Version: 6.5-2
>> Severity: serious
>> Tags: security
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> CVE-2006-3681: "Multiple cross-site scripting (XSS) vulnerabilities in
>> awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers
>> to inject arbitrary web script or HTML via the (1) refererpagesfilter,
>> (2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5)
>> hostfilter, or (6) hostfilterex parameters, a different set of vectors
>> than CVE-2006-1945."
>>
>> CVE-2006-3682: "awstats.pl in AWStats 6.5 build 1.857 and earlier allows
>> remote attackers to obtain the installation path via the (1) year, (2)
>> pluginmode or (3) month parameters."
>>
>> I have not verified either vulnerability. The original advisory [1]
>> has sample exploits.
>>
>> This is not the same as #364443 or #365909. Sarge is probably affected.
>>
>> Please mention the CVEs in your changelog.
>>
>> Thanks,
>>
>> Alec
>>
>> [1] http://pridels.blogspot.com/2006/04/awstats-65x-multiple-vuln.html
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.3 (GNU/Linux)
>>
>> iD8DBQFEvutWAud/2YgchcQRAnO4AJkBYfNZSWE6zHKPGArOpX3eNnH9AwCfYtf7
>> 5nTPB7EkA5xCCZLPv6xgF7I=
>> =AN2l
>> -----END PGP SIGNATURE-----
>>
>>
>> _______________________________________________
>> Pkg-awstats-devel mailing list
>> Pkg-awstats-devel at lists.alioth.debian.org
>> http://lists.alioth.debian.org/mailman/listinfo/pkg-awstats-devel
>>
>
>
--
Laurent Destailleur.
---------------------------------------------------------------
EMail: eldy at users.sourceforge.net
Web: http://www.destailleur.fr
IM: IRC=Eldy, Jabber=Eldy
AWStats (Author) : http://awstats.sourceforge.net
Dolibarr (Contributor) : http//www.dolibarr.com
CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
AWBot (Author) : http://awbot.sourceforge.net
More information about the Pkg-awstats-devel
mailing list