Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also
with the 'diricons' parameter
Charles Fry
debian at frogcircus.org
Fri May 5 16:52:43 UTC 2006
> as mentioned in http://www.osreviews.net/reviews/comm/awstats, the
> same type of XSS vulnerability also exists with the 'diricons'
> parameter. In this case, Debian is affected, too.
As Eldy already explained (earlier in this bug report), the entire query
string is sanitised against XSS by a call to CleanFromCSSA. The
osreviews guys noticed that the word "Sanitize" does not surround
diricons ("and possibly others as well"), but they failed to notice the
cleaning call to CleanFromCSSA.
Eldy, would you mind clarifying for us the distinction between Sanitize
and CleanFromCSSA, and explaining why you don't always call Sanitize?
Charles
--
No sooner spread than done
Burma-Shave
http://burma-shave.org/jingles/1939/no_sooner_spread
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/attachments/20060505/43569966/attachment.pgp
More information about the Pkg-awstats-devel
mailing list