Login
Newsletter
Werbung

Sicherheit: Cross-Site Scripting in AWStats
Aktuelle Meldungen Distributionen
Name: Cross-Site Scripting in AWStats
ID: USN-686-1
Distribution: Ubuntu
Plattformen: Ubuntu 6.06, Ubuntu 7.10, Ubuntu 8.04 LTS, Ubuntu 8.10
Datum: Do, 4. Dezember 2008, 01:18
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3714
Applikationen: awstats

Originalnachricht


--===============5094966926938264016==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="LTeJQqWS0MN7I/qa"
Content-Disposition: inline


--LTeJQqWS0MN7I/qa
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

===========================================================
Ubuntu Security Notice USN-686-1 December 04, 2008
awstats vulnerability
CVE-2008-3714
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
awstats 6.5-1ubuntu1.3

Ubuntu 7.10:
awstats 6.6+dfsg-1ubuntu0.1

Ubuntu 8.04 LTS:
awstats 6.7.dfsg-1ubuntu0.1

Ubuntu 8.10:
awstats 6.7.dfsg-5ubuntu0.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Morgan Todd discovered that AWStats did not correctly strip quotes from
certain parameters, allowing for an XSS attack when running as a CGI.
If a user was tricked by a remote attacker into following a specially
crafted URL, the user's authentication information could be exposed for
the domain where AWStats was hosted.


Updated packages for Ubuntu 6.06 LTS:

Source archives:

awstats_6.5-1ubuntu1.3.diff.gz
Size/MD5: 20231 02f6d6768115e61ecf3cb347e20a4d6b
awstats_6.5-1ubuntu1.3.dsc
Size/MD5: 823 0acdf09ceaa643749b1d42a48b01a753
awstats_6.5.orig.tar.gz
Size/MD5: 1051780 aef00b2ff5c5413bd2a868299cabd69a

Architecture independent packages:

awstats_6.5-1ubuntu1.3_all.deb
Size/MD5: 853248 3b839bfdfce5331f902838694df21039

Updated packages for Ubuntu 7.10:

Source archives:

awstats_6.6+dfsg-1ubuntu0.1.diff.gz
Size/MD5: 20242 b0b2a251637b40ba30f2916b45629f33
awstats_6.6+dfsg-1ubuntu0.1.dsc
Size/MD5: 915 ca6ded2a6d1fe2175d01d996b0e3f590
awstats_6.6+dfsg.orig.tar.gz
Size/MD5: 1073578 6887d3f49de4f50830c0940041200632

Architecture independent packages:

awstats_6.6+dfsg-1ubuntu0.1_all.deb
Size/MD5: 898120 cc9aa605fbe5455b2c0681ee4f3c7af1

Updated packages for Ubuntu 8.04 LTS:

Source archives:

awstats_6.7.dfsg-1ubuntu0.1.diff.gz
Size/MD5: 23385 ab783d7817033c0240920e0d4aa6637c
awstats_6.7.dfsg-1ubuntu0.1.dsc
Size/MD5: 1017 1e66b61f4a072905ab5039c9211fc7c8
awstats_6.7.dfsg.orig.tar.gz
Size/MD5: 1093568 98a5fad9c379ac4884d7af90db6e087b

Architecture independent packages:

awstats_6.7.dfsg-1ubuntu0.1_all.deb
Size/MD5: 907832 a7c108e27112aa3ef21df347302dce36

Updated packages for Ubuntu 8.10:

Source archives:

awstats_6.7.dfsg-5ubuntu0.1.diff.gz
Size/MD5: 28889 57d485dea3b40aadc924c81fa67666e4
awstats_6.7.dfsg-5ubuntu0.1.dsc
Size/MD5: 1530 c6dae34e2a0ac2d7036e45257e62f122
awstats_6.7.dfsg.orig.tar.gz
Size/MD5: 1093568 98a5fad9c379ac4884d7af90db6e087b

Architecture independent packages:

awstats_6.7.dfsg-5ubuntu0.1_all.deb
Size/MD5: 908744 ca2b119c43f0943d1763348e10a599c6


--LTeJQqWS0MN7I/qa
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Kees Cook <kees@outflux.net>

iEYEARECAAYFAkk3IXgACgkQH/9LqRcGPm1eYQCfTwnOiM5ThYt+7ncmmgzkvJyk
8d4An1MQCpwf5EejNBnz/9IC8PZ0ZcEA
=MXD7
-----END PGP SIGNATURE-----

--LTeJQqWS0MN7I/qa--


--===============5094966926938264016==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============5094966926938264016==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung