Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 440764 (CVE-2012-4547) - <www-misc/awstats-7.1_p20121017: potentially susceptible to XSS attacks (CVE-2012-4547)
Summary: <www-misc/awstats-7.1_p20121017: potentially susceptible to XSS attacks (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2012-4547
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://awstats.sourceforge.net/docs/a...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-01 16:05 UTC by Agostino Sarubbo
Modified: 2012-11-15 12:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-01 16:05:40 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=871159 :

A new CleanXSS() function was added [1] to awstats' awredir.pl cgi script and is part of the 7.1 
release [2].  The additional function aims to clean strings of HTML tags so as to avoid XSS flaws.

It doesn't indicate whether or not it was possible to actually inject arbitrary HTML into these 
strings or whether this was just a hardening mechanism, however this would be applicable to all 
currently supported versions of awstats.

[1] 
http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awredir.pl?r1=1.13&r2=1.14
[2] http://awstats.sourceforge.net/docs/awstats_changelog.txt
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-11-01 16:17:03 UTC
And obviously there is no new version, they just re-released 7.1 as usual.

Sigh, on it.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-11-02 00:41:29 UTC
CVE-2012-4547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4547):
  Unspecified vulnerability in awredir.pl in AWStats before 7.1 has unknown
  impact and attack vectors.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-10 20:14:05 UTC
Diego / web-apps: ok to stabilize?

(Thanks for the fast bump, Diego.)
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-11-10 20:43:14 UTC
Yes okay to stabilize, been using it since the bump and it's okay. Just the usual fixes I suppose.
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-11 13:38:26 UTC
(In reply to comment #4)
> Yes okay to stabilize, been using it since the bump and it's okay. Just the
> usual fixes I suppose.

Great, thanks.

Arches, please test and mark stable =www-misc/awstats-7.1_p20121017
Comment 6 Agostino Sarubbo gentoo-dev 2012-11-11 14:03:43 UTC
amd64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2012-11-12 13:08:39 UTC
Stable for HPPA.
Comment 8 Andreas Schürch gentoo-dev 2012-11-12 18:29:51 UTC
x86 done.
Comment 9 Anthony Basile gentoo-dev 2012-11-15 12:23:41 UTC
stable ppc
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-15 12:29:33 UTC
Thanks, everyone.

Closing noglsa for XSS only.