Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also
with the 'diricons' parameter
Hendrik Weimer
hendrik at enyo.de
Fri May 12 12:56:55 UTC 2006
Martin Schulze <joey at infodrom.org> writes:
> Umh... but since the query_string is already sanitised globally
> how can XSS still happen? Was the sanitising not sucessful?
AFAICS the query_string is not being decoded first. Therefore, a '>'
encoded as %3E will slip through. Version 6.5-2 contains the proper
fix.
Hendrik
More information about the Pkg-awstats-devel
mailing list