AWStats Cross-Site Scripting Vulnerability Print
Written by Rebecca Mints   
Monday, 18 August 2008 00:54

 

Morgan Todd has discovered a vulnerability in AWStats, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed in the URL to awstats.pl is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

 

Successful exploitation requires that the application is running as a CGI script. The vulnerability is confirmed in version 6.8. Other versions may also be affected.

Solution:
Fixed in version 6.9 (beta).
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by: Morgan Todd

Original Advisory:
http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&groupˍid=13764&atid=113764