Date: Mon, 29 Oct 2012 12:54:58 -0600 From: Vincent Danen <vdanen@...hat.com> To: oss-security@...ts.openwall.com Cc: Hanno B?ck <hanno@...eck.de> Subject: Re: CVE request: awstats before 7.1 awredir.pl vulnerability * [2012-10-25 23:45:13 -0600] Kurt Seifried wrote: >On 10/25/2012 03:07 AM, Hanno Böck wrote: >> http://awstats.sourceforge.net/docs/awstats_changelog.txt - >> Security fix into awredir.pl >> >> I didn't find any more info, but please assign a CVE. (and i found >> there were awredir issues before that got CVE-2009-5020, but I >> think this is a different issue, at least if their changelogs are >> correct) > >Please use CVE-2012-4547 for this issue. I suspect it is this: http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awredir.pl?r1=1.13&r2=1.14 But it's been over a year since this commit (but the last one is 8mos old and seems to have no security relevance). So looks to be XSS sanitization. -- Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.