[VIM] awstats - taking bets
security curmudgeon
jericho at attrition.org
Fri May 5 23:08:58 EDT 2006
http://awstats.sourceforge.net/awstats_security_news.php
Version 6.6 or higher (safe from any known exploits)
There is no exploit nor hole known by AWStats team on this version, so
AWStats 6.6 and higher are safe.
You may however find announces (even recent) about several holes in
AWStats. This announces claims that parameters provided into URLs are not
sanitized. As you can see in AWStats code, you may find the line
$QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString)); This
line sanitizes all URLs parameters provided to AWStats. Note: Some
annouces say that some AWstats versions has more serious holes because of
the use of the "eval" Perl function. It's true that using "eval" function
can be a hole when its parameters are not sanitized, but they are in 6.5
(for the 'configdir' parameter) and are in 6.6 (for all parameters, even
'migrate' parameter forgotten in 6.5), so you can ignore such warnings.
It's same for CSS attacks. Parameters to prevent CSS attacks are sanitized
in AWStats core code by the same line.
[..]
So.. no more input sanitization failure related vulns from here on out!
More information about the VIM
mailing list