LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

awstats: input sanitizing

Package(s):awstats CVE #(s):CVE-2006-3681 CVE-2006-3682
Created:October 10, 2006 Updated:October 11, 2006
Description: awstats did not fully sanitize input, which was passed directly to the user's browser, allowing for an XSS attack. If a user was tricked into following a specially crafted awstats URL, the user's authentication information could be exposed for the domain where awstats was hosted. (CVE-2006-3681)

awstats could display its installation path under certain conditions. However, this might only become a concern if awstats is installed into an user's home directory. (CVE-2006-3682)

Alerts:
Ubuntu USN-360-1 2006-10-10
(Log in to post comments)

awstats: input sanitizing

Posted Feb 19, 2007 20:16 UTC (Mon) by kreutzm (guest, #4700) [Link]

The first vulnerability was fixed (by chance) by an earlier DSA, the latter one is, as stated, no problem for a distribution like Debian.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds