Bug 474396 (CVE-2008-5080)

Summary: CVE-2008-5080 awstats: incomplete fix for CVE-2008-3714 XSS issue
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gauret, rpm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 09:22:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Tomas Hoger 2008-12-03 17:22:27 UTC 
It was discovered that the upstream patch for cross-site scripting (XSS) issue in awstats known as CVE-2008-3714 does not completely resolve the problem and it still allows injection of quote characters.

Improved patch is available in the Debian BTS:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432#21

It strips quotes only after URL-decoding %-escaped strings was done, rather than before.

Patch is included in the Debian security advisory DSA-1679-1:
  http://www.debian.org/security/2008/dsa-1679
Comment 2 Fedora Update System 2008-12-06 09:43:41 UTC 
awstats-6.8-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/awstats-6.8-3.fc10
Comment 3 Fedora Update System 2008-12-08 13:03:07 UTC 
awstats-6.8-3.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2008-12-08 13:04:48 UTC 
awstats-6.8-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2008-12-08 13:06:23 UTC 
awstats-6.8-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Tim Jackson 2008-12-08 23:17:22 UTC 
I have built it in EPEL5 with the additional fix.