awstats: input sanitizing
| Package(s): | awstats | CVE #(s): | CVE-2006-3681 CVE-2006-3682 | ||||
| Created: | October 10, 2006 | Updated: | October 11, 2006 | ||||
| Description: | awstats did not fully sanitize input, which was passed directly to the user's
browser, allowing for an XSS attack. If a user was tricked into following a
specially crafted awstats URL, the user's authentication information could be
exposed for the domain where awstats was hosted. (CVE-2006-3681)
awstats could display its installation path under certain conditions. However, this might only become a concern if awstats is installed into an user's home directory. (CVE-2006-3682) | ||||||
| Alerts: |
| ||||||
Posted Feb 19, 2007 20:16 UTC (Mon)
by kreutzm (guest, #4700)
[Link]
The first vulnerability was fixed (by chance) by an earlier DSA, the latter one is, as stated, no problem for a distribution like Debian.awstats: input sanitizing