Vigil@nce: AWStats, Cross Site Scripting
October 2009 by Vigil@nce
An attacker can use a Cross Site Scripting of AWStats in order to
execute JavaScript code in the context of victim’s web browser.
Severity: 2/4
Consequences: client access/rights
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 12/10/2009
IMPACTED PRODUCTS
– Mandriva Corporate
– Mandriva Enterprise Server
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The AWStats program generates web, ftp or mail statistics. It is
written in PERL, and displays its statistics on a web server.
The vulnerability described in the VIGILANCE-VUL-8292
(https://vigilance.fr/tree/1/8292) bulletin was not fully
corrected.
An attacker can therefore still use a Cross Site Scripting of
AWStats in order to execute JavaScript code in the context of
victim’s web browser.
CHARACTERISTICS
Identifiers: CVE-2008-5080, MDVSA-2009:266, VIGILANCE-VUL-9081
http://vigilance.fr/vulnerability/AWStats-Cross-Site-Scripting-9081