Debian Bug report logs -
#378960
awstats: CVE-2006-3681 CVE-2006-3682: multiple vulnerabilities
Reported by: Alec Berryman <alec@thened.net>
Date: Thu, 20 Jul 2006 02:48:01 UTC
Severity: serious
Tags: security
Found in version awstats/6.5-2
Done: Charles Fry <cfry@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#378960; Package awstats.
(full text, mbox, link).
Acknowledgement sent to Alec Berryman <alec@thened.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: awstats
Version: 6.5-2
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3681: "Multiple cross-site scripting (XSS) vulnerabilities in
awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers
to inject arbitrary web script or HTML via the (1) refererpagesfilter,
(2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5)
hostfilter, or (6) hostfilterex parameters, a different set of vectors
than CVE-2006-1945."
CVE-2006-3682: "awstats.pl in AWStats 6.5 build 1.857 and earlier allows
remote attackers to obtain the installation path via the (1) year, (2)
pluginmode or (3) month parameters."
I have not verified either vulnerability. The original advisory [1]
has sample exploits.
This is not the same as #364443 or #365909. Sarge is probably affected.
Please mention the CVEs in your changelog.
Thanks,
Alec
[1] http://pridels.blogspot.com/2006/04/awstats-65x-multiple-vuln.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEvutWAud/2YgchcQRAnO4AJkBYfNZSWE6zHKPGArOpX3eNnH9AwCfYtf7
5nTPB7EkA5xCCZLPv6xgF7I=
=AN2l
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#378960; Package awstats.
(full text, mbox, link).
Acknowledgement sent to Charles Fry <cfry@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #10 received at 378960@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Laurent,
Can you please comment on these vulnerabilities, especially
CVE-2006-3681? Are these fixed in 6.6? When do you expect to release
6.6?
thanks,
Charles
-----Original Message-----
> From: Alec Berryman <alec@thened.net>
> Subject: [Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681
> CVE-2006-3682: multiple vulnerabilities
> Date: Wed, 19 Jul 2006 22:32:54 -0400
> To: Debian Bug Tracking System <submit@bugs.debian.org>
> Reply-To: Alec Berryman <alec@thened.net>, 378960@bugs.debian.org
>
> Package: awstats
> Version: 6.5-2
> Severity: serious
> Tags: security
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2006-3681: "Multiple cross-site scripting (XSS) vulnerabilities in
> awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers
> to inject arbitrary web script or HTML via the (1) refererpagesfilter,
> (2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5)
> hostfilter, or (6) hostfilterex parameters, a different set of vectors
> than CVE-2006-1945."
>
> CVE-2006-3682: "awstats.pl in AWStats 6.5 build 1.857 and earlier allows
> remote attackers to obtain the installation path via the (1) year, (2)
> pluginmode or (3) month parameters."
>
> I have not verified either vulnerability. The original advisory [1]
> has sample exploits.
>
> This is not the same as #364443 or #365909. Sarge is probably affected.
>
> Please mention the CVEs in your changelog.
>
> Thanks,
>
> Alec
>
> [1] http://pridels.blogspot.com/2006/04/awstats-65x-multiple-vuln.html
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFEvutWAud/2YgchcQRAnO4AJkBYfNZSWE6zHKPGArOpX3eNnH9AwCfYtf7
> 5nTPB7EkA5xCCZLPv6xgF7I=
> =AN2l
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Pkg-awstats-devel mailing list
> Pkg-awstats-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-awstats-devel
--
Unless
Your face
Is stinger free
You'd better let
Your honey be
Burma-Shave
http://burma-shave.org/jingles/1951/unless
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#378960; Package awstats.
(full text, mbox, link).
Acknowledgement sent to "Laurent Destailleur (Eldy)" <eldy@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #15 received at 378960@bugs.debian.org (full text, mbox, reply):
Charles Fry a écrit :
> Hi Laurent,
>
> Can you please comment on these vulnerabilities, especially
> CVE-2006-3681?
This vulnerability is true.
> Are these fixed in 6.6? When do you expect to release
> 6.6?
>
It is fixed in 6.6. I have just launched the beta start for 6.6 meanings
code in current 6.6 package will not change (except for bug corrections
found during beta).
Beta last about 2 month.
I also updated the AWStats security page to report this vulnerability code:
http://awstats.sourceforge.net/awstats_security_news.php
It is the hole #3 in this page.
> thanks,
> Charles
>
> -----Original Message-----
>
>> From: Alec Berryman <alec@thened.net>
>> Subject: [Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681
>> CVE-2006-3682: multiple vulnerabilities
>> Date: Wed, 19 Jul 2006 22:32:54 -0400
>> To: Debian Bug Tracking System <submit@bugs.debian.org>
>> Reply-To: Alec Berryman <alec@thened.net>, 378960@bugs.debian.org
>>
>> Package: awstats
>> Version: 6.5-2
>> Severity: serious
>> Tags: security
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> CVE-2006-3681: "Multiple cross-site scripting (XSS) vulnerabilities in
>> awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers
>> to inject arbitrary web script or HTML via the (1) refererpagesfilter,
>> (2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5)
>> hostfilter, or (6) hostfilterex parameters, a different set of vectors
>> than CVE-2006-1945."
>>
>> CVE-2006-3682: "awstats.pl in AWStats 6.5 build 1.857 and earlier allows
>> remote attackers to obtain the installation path via the (1) year, (2)
>> pluginmode or (3) month parameters."
>>
>> I have not verified either vulnerability. The original advisory [1]
>> has sample exploits.
>>
>> This is not the same as #364443 or #365909. Sarge is probably affected.
>>
>> Please mention the CVEs in your changelog.
>>
>> Thanks,
>>
>> Alec
>>
>> [1] http://pridels.blogspot.com/2006/04/awstats-65x-multiple-vuln.html
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.3 (GNU/Linux)
>>
>> iD8DBQFEvutWAud/2YgchcQRAnO4AJkBYfNZSWE6zHKPGArOpX3eNnH9AwCfYtf7
>> 5nTPB7EkA5xCCZLPv6xgF7I=
>> =AN2l
>> -----END PGP SIGNATURE-----
>>
>>
>> _______________________________________________
>> Pkg-awstats-devel mailing list
>> Pkg-awstats-devel@lists.alioth.debian.org
>> http://lists.alioth.debian.org/mailman/listinfo/pkg-awstats-devel
>>
>
>
--
Laurent Destailleur.
---------------------------------------------------------------
EMail: eldy@users.sourceforge.net
Web: http://www.destailleur.fr
IM: IRC=Eldy, Jabber=Eldy
AWStats (Author) : http://awstats.sourceforge.net
Dolibarr (Contributor) : http//www.dolibarr.com
CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
AWBot (Author) : http://awbot.sourceforge.net
Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#378960; Package awstats.
(full text, mbox, link).
Acknowledgement sent to Charles Fry <cfry@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>.
(full text, mbox, link).
Message #20 received at 378960@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> > Are these fixed in 6.6? When do you expect to release
> >6.6?
> >
> It is fixed in 6.6. I have just launched the beta start for 6.6 meanings
> code in current 6.6 package will not change (except for bug corrections
> found during beta).
> Beta last about 2 month.
>
> I also updated the AWStats security page to report this vulnerability code:
> http://awstats.sourceforge.net/awstats_security_news.php
> It is the hole #3 in this page.
Now, the important follow up question: what patch should be applied to
6.5 (or 6.4) in order to fix this problem? As far as I can tell from
comparing 6.5 to 6.6 the important change is the one that we have
already included in Debian, which is:
- $QueryString = CleanFromCSSA($QueryString);
+ $QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString));
Is that correct, or am I missing some other component of the fix?
thanks,
Charles
--
Don't put it off -- Put it on
Burma-Shave
http://burma-shave.org/jingles/1939/dont_put_it
[signature.asc (application/pgp-signature, inline)]
Reply sent to Charles Fry <cfry@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #25 received at 378960-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Looks like this was already taken care of in a previous patch.
Charles
----- Forwarded message from "Laurent Destailleur (Eldy)" <eldy@users.sourceforge.net> -----
From: "Laurent Destailleur (Eldy)" <eldy@users.sourceforge.net>
Subject: Re: [Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681 CVE-2006-3682:
multiple vulnerabilities
Date: Sat, 22 Jul 2006 18:36:02 +0200
To: Charles Fry <cfry@debian.org>
Charles Fry a écrit :
>>>Are these fixed in 6.6? When do you expect to release
>>>6.6?
>>>
>>>
>>It is fixed in 6.6. I have just launched the beta start for 6.6 meanings
>>code in current 6.6 package will not change (except for bug corrections
>>found during beta).
>>Beta last about 2 month.
>>
>>I also updated the AWStats security page to report this vulnerability code:
>>http://awstats.sourceforge.net/awstats_security_news.php
>>It is the hole #3 in this page.
>>
>
>Now, the important follow up question: what patch should be applied to
>6.5 (or 6.4) in order to fix this problem? As far as I can tell from
>comparing 6.5 to 6.6 the important change is the one that we have
>already included in Debian, which is:
>
>- $QueryString = CleanFromCSSA($QueryString);
>+ $QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString));
>
>Is that correct, or am I missing some other component of the fix?
>
Yes it's correct. This fix solve also this hole, so nothing to do more
if such a patch was already provided in 6.5.
>thanks,
>Charles
>
>
--
Laurent Destailleur.
---------------------------------------------------------------
EMail: eldy@users.sourceforge.net
Web: http://www.destailleur.fr
IM: IRC=Eldy, Jabber=Eldy
AWStats (Author) : http://awstats.sourceforge.net
Dolibarr (Contributor) : http//www.dolibarr.com
CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
AWBot (Author) : http://awbot.sourceforge.net
----- End forwarded message -----
--
Ashes to ashes
Forests to dust
Keep Wisconsin green
Or we'll
All go bust
Burma-Shave
http://burma-shave.org/jingles/1949/ashes_to_ashes2
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Jun 2007 11:43:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:18:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon