AWStats awstats.pl 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115921 漏洞类型 跨站脚本
发布时间 2008-08-18 更新时间 2009-03-07
CVE编号 CVE-2008-3714 CNNVD-ID CNNVD-200808-252
漏洞平台 CGI CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/32258
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200808-252
|漏洞详情
AWStats是一款流行的基于Web的网站流量分析软件。AWStats6.8版本的awstats.pl存在跨站攻击漏洞,攻击者可通过query_string,注入任意web脚本或HTML代码,实现跨站攻击。
|漏洞EXP
source: http://www.securityfocus.com/bid/30730/info

AWStats is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

AWStats 6.8 is vulnerable; other versions may also be affected. 

http://www.example.com/awstats/awstats.pl?config=www.example.com&%22onload=%22alert(document.domain)//
|参考资料

来源:FEDORA
名称:FEDORA-2008-7684
链接:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00355.html
来源:FEDORA
名称:FEDORA-2008-7663
链接:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00107.html
来源:XF
名称:awstats-awstats-xss(44504)
链接:http://xforce.iss.net/xforce/xfdb/44504
来源:UBUNTU
名称:USN-686-1
链接:http://www.ubuntu.com/usn/usn-686-1
来源:SECTRACK
名称:1020704
链接:http://www.securitytracker.com/id?1020704
来源:BID
名称:30730
链接:http://www.securityfocus.com/bid/30730
来源:MANDRIVA
名称:MDVSA-2008:203
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2008:203
来源:VUPEN
名称:ADV-2008-2399
链接:http://www.frsirt.com/english/advisories/2008/2399
来源:DEBIAN
名称:DSA-1679
链接:http://www.debian.org/security/2008/dsa-1679
来源:Sourceforge
链接:http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764
来源:SECUNIA
名称:33002
链接:http://secunia.com/advisories/33002
来源:SECUNIA
名称:32939
链接:http://secunia.com/advisories/32939
来源:SECUNIA
名称:31759