Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20121029185458.GL2676@redhat.com>
Date: Mon, 29 Oct 2012 12:54:58 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Hanno B?ck <hanno@...eck.de>
Subject: Re: CVE request: awstats before 7.1 awredir.pl
 vulnerability

* [2012-10-25 23:45:13 -0600] Kurt Seifried wrote:

>On 10/25/2012 03:07 AM, Hanno Böck wrote:
>> http://awstats.sourceforge.net/docs/awstats_changelog.txt -
>> Security fix into awredir.pl
>>
>> I didn't find any more info, but please assign a CVE. (and i found
>> there were awredir issues before that got CVE-2009-5020, but I
>> think this is a different issue, at least if their changelogs are
>> correct)
>
>Please use CVE-2012-4547 for this issue.

I suspect it is this:

http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awredir.pl?r1=1.13&r2=1.14

But it's been over a year since this commit (but the last one is 8mos
old and seems to have no security relevance).

So looks to be XSS sanitization.

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.