[VIM] awstats - taking bets

security curmudgeon jericho at attrition.org
Fri May 5 23:08:58 EDT 2006


Version 6.6 or higher (safe from any known exploits)

There is no exploit nor hole known by AWStats team on this version, so 
AWStats 6.6 and higher are safe.

You may however find announces (even recent) about several holes in 
AWStats. This announces claims that parameters provided into URLs are not 
sanitized. As you can see in AWStats code, you may find the line 
$QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString)); This 
line sanitizes all URLs parameters provided to AWStats. Note: Some 
annouces say that some AWstats versions has more serious holes because of 
the use of the "eval" Perl function. It's true that using "eval" function 
can be a hole when its parameters are not sanitized, but they are in 6.5 
(for the 'configdir' parameter) and are in 6.6 (for all parameters, even 
'migrate' parameter forgotten in 6.5), so you can ignore such warnings.

It's same for CSS attacks. Parameters to prevent CSS attacks are sanitized 
in AWStats core code by the same line.


So.. no more input sanitization failure related vulns from here on out!

More information about the VIM mailing list