Your message dated Sat, 22 Jul 2006 13:01:54 -0400
with message-id <[EMAIL PROTECTED]>
and subject line [Fwd: Re: [Pkg-awstats-devel] Bug#378960: awstats:
CVE-2006-3681 CVE-2006-3682: multiple vulnerabilities]
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: awstats
Version: 6.5-2
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-3681: "Multiple cross-site scripting (XSS) vulnerabilities in
awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers
to inject arbitrary web script or HTML via the (1) refererpagesfilter,
(2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5)
hostfilter, or (6) hostfilterex parameters, a different set of vectors
than CVE-2006-1945."
CVE-2006-3682: "awstats.pl in AWStats 6.5 build 1.857 and earlier allows
remote attackers to obtain the installation path via the (1) year, (2)
pluginmode or (3) month parameters."
I have not verified either vulnerability. The original advisory [1]
has sample exploits.
This is not the same as #364443 or #365909. Sarge is probably affected.
Please mention the CVEs in your changelog.
Thanks,
Alec
[1] http://pridels.blogspot.com/2006/04/awstats-65x-multiple-vuln.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEvutWAud/2YgchcQRAnO4AJkBYfNZSWE6zHKPGArOpX3eNnH9AwCfYtf7
5nTPB7EkA5xCCZLPv6xgF7I=
=AN2l
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Looks like this was already taken care of in a previous patch.
Charles
----- Forwarded message from "Laurent Destailleur (Eldy)" <[EMAIL PROTECTED]>
-----
From: "Laurent Destailleur (Eldy)" <[EMAIL PROTECTED]>
Subject: Re: [Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681
CVE-2006-3682:
multiple vulnerabilities
Date: Sat, 22 Jul 2006 18:36:02 +0200
To: Charles Fry <[EMAIL PROTECTED]>
Charles Fry a écrit :
>>>Are these fixed in 6.6? When do you expect to release
>>>6.6?
>>>
>>>
>>It is fixed in 6.6. I have just launched the beta start for 6.6 meanings
>>code in current 6.6 package will not change (except for bug corrections
>>found during beta).
>>Beta last about 2 month.
>>
>>I also updated the AWStats security page to report this vulnerability code:
>>http://awstats.sourceforge.net/awstats_security_news.php
>>It is the hole #3 in this page.
>>
>
>Now, the important follow up question: what patch should be applied to
>6.5 (or 6.4) in order to fix this problem? As far as I can tell from
>comparing 6.5 to 6.6 the important change is the one that we have
>already included in Debian, which is:
>
>- $QueryString = CleanFromCSSA($QueryString);
>+ $QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString));
>
>Is that correct, or am I missing some other component of the fix?
>
Yes it's correct. This fix solve also this hole, so nothing to do more
if such a patch was already provided in 6.5.
>thanks,
>Charles
>
>
--
Laurent Destailleur.
---------------------------------------------------------------
EMail: [EMAIL PROTECTED]
Web: http://www.destailleur.fr
IM: IRC=Eldy, Jabber=Eldy
AWStats (Author) : http://awstats.sourceforge.net
Dolibarr (Contributor) : http//www.dolibarr.com
CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
AWBot (Author) : http://awbot.sourceforge.net
----- End forwarded message -----
--
Ashes to ashes
Forests to dust
Keep Wisconsin green
Or we'll
All go bust
Burma-Shave
http://burma-shave.org/jingles/1949/ashes_to_ashes2
signature.asc
Description: Digital signature
--- End Message ---
