Current time: 12-24-2024, 01:35 AM Hello There, Guest! (LoginRegister)


Post Reply 
AWStats Patch for [ 2001151 ] XSS Issue
Author Message
FeG Offline
Banned

Posts: 222
Joined: Aug 2007
Post: #8
RE: AWStats Patch for [ 2001151 ] XSS Issue
Hi khan2002,

khan2002 Wrote:I've tried both and both not working on my Debian :

...

Anyone an idea?

Do you have changed the awstats.pl file in any way or updated AWStats to a newer vesion?

Anyway, you can apply this patch by simply adding these lines (with +) to the mentioned functions in awstats.pl:

Code:
sub DecodeEncodedString {
    my $stringtodecode=shift;
    $stringtodecode =~ tr/\+/ /s;
+    $stringtodecode =~ s/%22//g;
    $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
    return $stringtodecode;
}

(DecodeEncodeString should have already been patch on your system, so the line "$stringtodecode =~ s/%22//g;" should already be there)

Code:
sub CleanFromCSSA {
    my $stringtoclean=shift;
+    # To avoid html tags and javascript
    $stringtoclean =~ s/</&lt;/g;
    $stringtoclean =~ s/>/&gt;/g;
+    $stringtoclean =~ s/|//g;
+    # To avoid onload="
+    $stringtoclean =~ s/onload//g;
    return $stringtoclean;
}

These four lines weren't been added by the patch program, so you can add them manually by editing the awstats.pl file.

Greetings
FeG
08-26-2008 08:06 PM
Find all posts by this user Quote this message in a reply
Post Reply 


Messages In This Thread
RE: AWStats Patch for [ 2001151 ] XSS Issue - FeG - 08-26-2008 08:06 PM

Forum Jump:


User(s) browsing this thread: 1 Guest(s)