Executive Summary
Summary | |
---|---|
Title | AWStats vulnerability |
Informations | |||
---|---|---|---|
Name | USN-686-1 | First vendor Publication | 2008-12-04 |
Vendor | Ubuntu | Last vendor Modification | 2008-12-04 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: Ubuntu 7.10: Ubuntu 8.04 LTS: Ubuntu 8.10: In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Morgan Todd discovered that AWStats did not correctly strip quotes from certain parameters, allowing for an XSS attack when running as a CGI. If a user was tricked by a remote attacker into following a specially crafted URL, the user's authentication information could be exposed for the domain where AWStats was hosted. |
Original Source
Url : http://www.ubuntu.com/usn/USN-686-1 |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-18 | Embedding Scripts in Nonscript Elements |
CAPEC-19 | Embedding Scripts within Scripts |
CAPEC-32 | Embedding Scripts in HTTP Query Strings |
CAPEC-63 | Simple Script Injection |
CAPEC-85 | Client Network Footprinting (using AJAX/XSS) |
CAPEC-86 | Embedding Script (XSS ) in HTTP Headers |
CAPEC-91 | XSS in IMG Tags |
CAPEC-106 | Cross Site Scripting through Log Files |
CAPEC-198 | Cross-Site Scripting in Error Pages |
CAPEC-199 | Cross-Site Scripting Using Alternate Syntax |
CAPEC-209 | Cross-Site Scripting Using MIME Type Mismatch |
CAPEC-232 | Exploitation of Privilege/Trust |
CAPEC-243 | Cross-Site Scripting in Attributes |
CAPEC-244 | Cross-Site Scripting via Encoded URI Schemes |
CAPEC-245 | Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript |
CAPEC-246 | Cross-Site Scripting Using Flash |
CAPEC-247 | Cross-Site Scripting with Masking through Invalid Characters in Identifiers |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17861 | |||
Oval ID: | oval:org.mitre.oval:def:17861 | ||
Title: | USN-686-1 -- awstats vulnerability | ||
Description: | Morgan Todd discovered that AWStats did not correctly strip quotes from certain parameters, allowing for an XSS attack when running as a CGI. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-686-1 CVE-2008-3714 CVE-2008-5080 | Version: | 7 |
Platform(s): | Ubuntu 6.06 Ubuntu 7.10 Ubuntu 8.04 Ubuntu 8.10 | Product(s): | awstats |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20224 | |||
Oval ID: | oval:org.mitre.oval:def:20224 | ||
Title: | DSA-1679-1 awstats - cross-site scripting | ||
Description: | Morgan Todd discovered a cross-site scripting vulnerability in awstats, a log file analyzer, involving the "config" request parameter (and possibly others; <a href="http://security-tracker.debian.org/tracker/CVE-2008-3714">CVE-2008-3714</a>). | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1679-1 CVE-2008-3714 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | awstats |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:8151 | |||
Oval ID: | oval:org.mitre.oval:def:8151 | ||
Title: | DSA-1679 awstats -- cross-site scripting | ||
Description: | Morgan Todd discovered a cross-site scripting vulnerability in awstats, a log file analyzer, involving the "config" request parameter (and possibly others; CVE-2008-3714). | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1679 CVE-2008-3714 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | awstats |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-12-10 | Name : Fedora Core 10 FEDORA-2009-12444 (awstats) File : nvt/fcore_2009_12444.nasl |
2009-10-19 | Name : Mandrake Security Advisory MDVSA-2009:266 (awstats) File : nvt/mdksa_2009_266.nasl |
2009-03-23 | Name : Ubuntu Update for awstats vulnerability USN-686-1 File : nvt/gb_ubuntu_USN_686_1.nasl |
2009-02-17 | Name : Fedora Update for awstats FEDORA-2008-7663 File : nvt/gb_fedora_2008_7663_awstats_fc9.nasl |
2009-02-17 | Name : Fedora Update for awstats FEDORA-2008-7684 File : nvt/gb_fedora_2008_7684_awstats_fc8.nasl |
2009-02-16 | Name : Fedora Update for awstats FEDORA-2008-10938 File : nvt/gb_fedora_2008_10938_awstats_fc8.nasl |
2009-02-16 | Name : Fedora Update for awstats FEDORA-2008-10950 File : nvt/gb_fedora_2008_10950_awstats_fc10.nasl |
2009-02-16 | Name : Fedora Update for awstats FEDORA-2008-10962 File : nvt/gb_fedora_2008_10962_awstats_fc9.nasl |
2009-01-07 | Name : FreeBSD Ports: awstats File : nvt/freebsd_awstats3.nasl |
2008-12-10 | Name : Debian Security Advisory DSA 1679-1 (awstats) File : nvt/deb_1679_1.nasl |
2008-12-09 | Name : AWStats awstats.pl XSS Vulnerability - Dec08 File : nvt/gb_awstats_xss_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
47536 | AWStats awstats.pl URL XSS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2008-10950.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-686-1.nasl - Type : ACT_GATHER_INFO |
2009-01-05 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_27d78386d35f11ddb800001b77d09812.nasl - Type : ACT_GATHER_INFO |
2008-12-09 | Name : The remote Fedora host is missing a security update. File : fedora_2008-10938.nasl - Type : ACT_GATHER_INFO |
2008-12-09 | Name : The remote Fedora host is missing a security update. File : fedora_2008-10962.nasl - Type : ACT_GATHER_INFO |
2008-12-04 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1679.nasl - Type : ACT_GATHER_INFO |
2008-09-10 | Name : The remote Fedora host is missing a security update. File : fedora_2008-7663.nasl - Type : ACT_GATHER_INFO |
2008-09-10 | Name : The remote Fedora host is missing a security update. File : fedora_2008-7684.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:05:30 |
|