lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050811155502.61E3C7A00B4@mail.idefense.com>
Date: Thu Aug 11 17:55:09 2005
From: labs-no-reply at idefense.com (iDFEENSE Labs)
Subject: Re: iDEFENSE Security Advisory 08.09.05: AWStats

Martin, 

Apologies for the confusion, and thank you for bringing this to our
attention. The version information was slightly off in our original
advisory. The vulnerability does affect AWStats 6.4 and prior, and the flaw
has been addressed in AWStats 6.5. 

The patch was introduced inadvertantly when all eval() calls were replaced
with sane function calls in the cvs commit shown here: 

http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstat
s.pl?r1=1.819&r2=1.820&diff_format=u

The patched function in AWStats 6.5 is at lines 4925 - 4936 of the
awstats.pl script:

sub ShowURLInfo {
	my $url=shift;
	my $nompage=CleanFromCSSA($url);

	# Call to plugins' function ShowInfoURL
	foreach my $pluginname (keys %{$PluginsLoaded{'ShowInfoURL'}})  {
#		my $function="ShowInfoURL_$pluginname('$url')";
#		eval("$function");
		my $function="ShowInfoURL_$pluginname";
		&$function($url);
	}

The public advisory on our website has been updated and can be accessed at
the following url: 
http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities&
flashstatus=true


iDEFENSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ