I don't really like releasing information about security bugs this way. But I'd rather have people know about a bug in the software they use if it's not fixed. The information has been publicly available in the SourceForge tracker anyway.
AWStats contains a Cross Site Scripting vulnerability (XSS) in the output parameter:
http://[domain]/awstats/awstats.pl?config=[example.com]&framename=mainright&output="%20style="width:%20expression(alert('XSS'));"
This one doesn't work in FF, it does in IE7 though.
(I tried contacting the author in several ways, no response.)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment