Vigil@nce: AWStats, Cross Site Scripting
December 2008 by Vigil@nce
An attacker can use a Cross Site Scripting of AWStats in order to
execute JavaScript code in the context of victim’s web browser.
– Gravity: 2/4
– Consequences: client access/rights
– Provenance: document
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 08/12/2008
IMPACTED PRODUCTS
– Debian Linux
– Fedora
– Mandriva Corporate
– Unix - plateform
DESCRIPTION
The AWStats program generates web, ftp or mail statistics. It is
written in PERL, and displays its statistics on a web server.
The awstats.pl script generates a HTML document, but does not
check if its parameter start by a quote (" or ’). The generated
HTML page thus contains strings which are directly interpreted by
the web browser.
An attacker can therefore use a Cross Site Scripting of AWStats in
order to execute JavaScript code in the context of victim’s web
browser.
CHARACTERISTICS
– Identifiers: BID-30730, CVE-2008-3714, DSA-1679-1,
FEDORA-2008-10938, FEDORA-2008-10950, FEDORA-2008-10962,
MDVSA-2008:203, VIGILANCE-VUL-8292
– Url: http://vigilance.fr/vulnerability/8292