Otkriveni su višestruki sigurnosni propusti u radu programskog paketa AWStats. Zlonamjerni ih korisnici mogu iskoristiti za umetanje proizvoljne web skripte, HTML i SQL koda.
| Paket: | awstats 7.x |
| Operacijski sustavi: | Fedora 14, Fedora 15, Fedora 16 |
| Problem: | pogreška u programskoj komponenti, XSS |
| Iskorištavanje: | lokalno/udaljeno |
| Posljedica: | pokretanje SQL koda, umetanje HTML i skriptnog koda |
| Rješenje: | programska zakrpa proizvođača |
| Izvorni ID preporuke: | FEDORA-2011-13947 |
| Izvor: | Fedora |
| Problem: | |
| Propusti su posljedica XSS, "SQL injection", "CRLF Injection" i "HTTP Response Splitting" ranjivosti u skripti "awredir.pl". |
|
| Posljedica: | |
| Napadaču omogućuju izvođenje XSS napada i umetanje SQL koda. |
|
| Rješenje: | |
| Korisnicima sse preporuča korištenje ispravljenih inačica. |
|
Izvorni tekst preporuke
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-13947
2011-10-08 23:28:32
--------------------------------------------------------------------------------
Name : awstats
Product : Fedora 16
Version : 7.0
Release : 5.fc16
URL : http://awstats.sourceforge.net
Summary : Advanced Web Statistics
Description :
Advanced Web Statistics is a powerful and featureful tool that generates
advanced web server graphic statistics. This server log analyzer works
from command line or as a CGI and shows you all information your log contains,
in graphical web pages. It can analyze a lot of web/wap/proxy servers like
Apache, IIS, Weblogic, Webstar, Squid, ... but also mail or ftp servers.
This program can measure visits, unique vistors, authenticated users, pages,
domains/countries, OS busiest times, robot visits, type of files, search
engines/keywords used, visits duration, HTTP errors and more...
Statistics can be updated from a browser or your scheduler.
The program also supports virtual servers, plugins and a lot of features.
With the default configuration, the statistics are available:
http://localhost/awstats/awstats.pl
--------------------------------------------------------------------------------
Update Information:
Fixes XSS flaws, sql injection and header response splitting flaw in awredir.pl
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #740926 - awstats: multiple flaws in awredir.pl
https://bugzilla.redhat.com/show_bug.cgi?id=740926
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update awstats' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-13999
2011-10-09 06:18:54
--------------------------------------------------------------------------------
Name : awstats
Product : Fedora 15
Version : 7.0
Release : 5.fc15
URL : http://awstats.sourceforge.net
Summary : Advanced Web Statistics
Description :
Advanced Web Statistics is a powerful and featureful tool that generates
advanced web server graphic statistics. This server log analyzer works
from command line or as a CGI and shows you all information your log contains,
in graphical web pages. It can analyze a lot of web/wap/proxy servers like
Apache, IIS, Weblogic, Webstar, Squid, ... but also mail or ftp servers.
This program can measure visits, unique vistors, authenticated users, pages,
domains/countries, OS busiest times, robot visits, type of files, search
engines/keywords used, visits duration, HTTP errors and more...
Statistics can be updated from a browser or your scheduler.
The program also supports virtual servers, plugins and a lot of features.
With the default configuration, the statistics are available:
http://localhost/awstats/awstats.pl
--------------------------------------------------------------------------------
Update Information:
Fixes XSS flaws, sql injection and header response splitting flaw in awredir.pl
--------------------------------------------------------------------------------
ChangeLog:
* Fri Oct 7 2011 Petr Lautrbach <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 7.0-5
- fix CRLF Injection flaw (#740926)
* Mon Oct 3 2011 Petr Lautrbach <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 7.0-4
- fix multiple XSS and sql injection flaws (#740926)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #740926 - awstats: multiple flaws in awredir.pl
https://bugzilla.redhat.com/show_bug.cgi?id=740926
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update awstats' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-14025
2011-10-09 06:19:52
--------------------------------------------------------------------------------
Name : awstats
Product : Fedora 14
Version : 7.0
Release : 4.fc14
URL : http://awstats.sourceforge.net
Summary : Advanced Web Statistics
Description :
Advanced Web Statistics is a powerful and featureful tool that generates
advanced web server graphic statistics. This server log analyzer works
from command line or as a CGI and shows you all information your log contains,
in graphical web pages. It can analyze a lot of web/wap/proxy servers like
Apache, IIS, Weblogic, Webstar, Squid, ... but also mail or ftp servers.
This program can measure visits, unique vistors, authenticated users, pages,
domains/countries, OS busiest times, robot visits, type of files, search
engines/keywords used, visits duration, HTTP errors and more...
Statistics can be updated from a browser or your scheduler.
The program also supports virtual servers, plugins and a lot of features.
With the default configuration, the statistics are available:
http://localhost/awstats/awstats.pl
--------------------------------------------------------------------------------
Update Information:
Fixes XSS flaws, sql injection and header response splitting flaw in awredir.pl
--------------------------------------------------------------------------------
ChangeLog:
* Fri Oct 7 2011 Petr Lautrbach <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 7.0-4
- fix CRLF Injection flaw (#740926)
* Mon Oct 3 2011 Petr Lautrbach <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 7.0-3
- fix multiple XSS and sql injection flaws (#740926)
* Tue Feb 15 2011 Petr Lautrbach <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 7.0-2
- update to upstream 7.0 version
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #740926 - awstats: multiple flaws in awredir.pl
https://bugzilla.redhat.com/show_bug.cgi?id=740926
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update awstats' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke