ID OPENVAS:66432 Type openvas Reporter Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com Modified 2017-07-10T00:00:00
Description
The remote host is missing an update to awstats
announced via advisory FEDORA-2009-12444.
# OpenVAS Vulnerability Test
# $Id: fcore_2009_12444.nasl 6624 2017-07-10 06:11:55Z cfischer $
# Description: Auto-generated from advisory FEDORA-2009-12444 (awstats)
#
# Authors:
# Thomas Reinke <reinke@securityspace.com>
#
# Copyright:
# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com
# Text descriptions are largely excerpted from the referenced
# advisory, and are Copyright (c) the respective author(s)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# or at your option, GNU General Public License version 3,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
include("revisions-lib.inc");
tag_insight = "Update Information:
- Fix security in awredir.pl by adding a security key required by default.
- Enhance security of parameter sanitizing function.
ChangeLog:
* Thu Nov 26 2009 Aurelien Bompard - 6.95-1
- version 6.95 (security fix)
- drop patch0";
tag_solution = "Apply the appropriate updates.
This update can be installed with the yum update program. Use
su -c 'yum update awstats' at the command line.
For more information, refer to Managing Software with yum,
available at http://docs.fedoraproject.org/yum/.
https://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-12444";
tag_summary = "The remote host is missing an update to awstats
announced via advisory FEDORA-2009-12444.";
if(description)
{
script_id(66432);
script_version("$Revision: 6624 $");
script_tag(name:"last_modification", value:"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $");
script_tag(name:"creation_date", value:"2009-12-10 00:23:54 +0100 (Thu, 10 Dec 2009)");
script_cve_id("CVE-2008-3714");
script_tag(name:"cvss_base", value:"4.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_name("Fedora Core 10 FEDORA-2009-12444 (awstats)");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com");
script_family("Fedora Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms");
script_tag(name : "insight" , value : tag_insight);
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "summary" , value : tag_summary);
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
#
# The script code starts here
#
include("pkg-lib-rpm.inc");
res = "";
report = "";
if ((res = isrpmvuln(pkg:"awstats", rpm:"awstats~6.95~1.fc10", rls:"FC10")) != NULL) {
report += res;
}
if (report != "") {
security_message(data:report);
} else if (__pkg_match) {
exit(99); # Not vulnerable.
}
{"id": "OPENVAS:66432", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Core 10 FEDORA-2009-12444 (awstats)", "description": "The remote host is missing an update to awstats\nannounced via advisory FEDORA-2009-12444.", "published": "2009-12-10T00:00:00", "modified": "2017-07-10T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=66432", "reporter": "Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com", "references": [], "cvelist": ["CVE-2008-3714"], "lastseen": "2017-07-25T10:56:16", "viewCount": 3, "enchantments": {"score": {"value": 7.0, "vector": "NONE", "modified": "2017-07-25T10:56:16", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-3714"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1679-1:AD039"]}, {"type": "seebug", "idList": ["SSV:4521"]}, {"type": "exploitdb", "idList": ["EDB-ID:32258"]}, {"type": "fedora", "idList": ["FEDORA:335D710F88E", "FEDORA:934BE2E0049", "FEDORA:1E0212086F7", "FEDORA:24148208DA9", "FEDORA:0D39420896E", "FEDORA:373F9208D5A"]}, {"type": "openvas", "idList": ["OPENVAS:860477", "OPENVAS:62841", "OPENVAS:860134", "OPENVAS:860702", "OPENVAS:136141256231066022", "OPENVAS:860678", "OPENVAS:840194", "OPENVAS:860063", "OPENVAS:66022", "OPENVAS:136141256231066432"]}, {"type": "nessus", "idList": ["UBUNTU_USN-686-1.NASL", "FEDORA_2008-10938.NASL", "FEDORA_2008-10962.NASL", "DEBIAN_DSA-1679.NASL", "FREEBSD_PKG_27D78386D35F11DDB800001B77D09812.NASL", "FEDORA_2008-10950.NASL", "FEDORA_2008-7663.NASL", "FEDORA_2008-7684.NASL"]}, {"type": "ubuntu", "idList": ["USN-686-1"]}, {"type": "freebsd", "idList": ["27D78386-D35F-11DD-B800-001B77D09812"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9305"]}], "modified": "2017-07-25T10:56:16", "rev": 2}, "vulnersScore": 7.0}, "pluginID": "66432", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_12444.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-12444 (awstats)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\n- Fix security in awredir.pl by adding a security key required by default.\n- Enhance security of parameter sanitizing function.\n\nChangeLog:\n\n* Thu Nov 26 2009 Aurelien Bompard - 6.95-1\n- version 6.95 (security fix)\n- drop patch0\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update awstats' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-12444\";\ntag_summary = \"The remote host is missing an update to awstats\nannounced via advisory FEDORA-2009-12444.\";\n\n\n\nif(description)\n{\n script_id(66432);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-12-10 00:23:54 +0100 (Thu, 10 Dec 2009)\");\n script_cve_id(\"CVE-2008-3714\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Fedora Core 10 FEDORA-2009-12444 (awstats)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"awstats\", rpm:\"awstats~6.95~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "naslFamily": "Fedora Local Security Checks"}
{"cve": [{"lastseen": "2020-10-03T11:51:01", "description": "Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945.", "edition": 3, "cvss3": {}, "published": "2008-08-19T19:41:00", "title": "CVE-2008-3714", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-3714"], "modified": "2017-08-08T01:32:00", "cpe": ["cpe:/a:awstats:awstats:6.8"], "id": "CVE-2008-3714", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3714", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:awstats:awstats:6.8:*:*:*:*:*:*:*"]}], "debian": [{"lastseen": "2019-05-30T02:21:44", "bulletinFamily": "unix", "cvelist": ["CVE-2008-3714"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1679-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nDecember 03, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : awstats\nVulnerability : cross-site scripting\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-3714\nDebian Bug : 495432\n\nMorgan Todd discovered a cross-site scripting vulnerability in awstats,\na log file analyzer, involving the "config" request parameter (and\npossibly others; CVE-2008-3714).\n\nFor the stable distribution (etch), this problem has been fixed in version\n6.5+dfsg-1+etch1.\n\nThe unstable (sid) and testing (lenny) distribution will be fixed soon.\n\nWe recommend that you upgrade your awstats package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/a/awstats/awstats_6.5+dfsg-1+etch1.diff.gz\n Size/MD5 checksum: 20369 bbe38406f0402fd5b7be2d0a427223c8\n http://security.debian.org/pool/updates/main/a/awstats/awstats_6.5+dfsg-1+etch1.dsc\n Size/MD5 checksum: 1079 2fd97dfcfcbf48cbe0e4a1a431cb43bd\n http://security.debian.org/pool/updates/main/a/awstats/awstats_6.5+dfsg.orig.tar.gz\n Size/MD5 checksum: 1041837 af6cbfbf470eb45f5238501813d6d1c6\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/a/awstats/awstats_6.5+dfsg-1+etch1_all.deb\n Size/MD5 checksum: 837326 878a4f0ab2ccb36c324c0c171a6a39b5\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 2, "modified": "2008-12-03T11:06:02", "published": "2008-12-03T11:06:02", "id": "DEBIAN:DSA-1679-1:AD039", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00271.html", "title": "[SECURITY] [DSA 1679-1] New awstats packages fix cross-site scripting", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-3714"], "description": "Advanced Web Statistics is a powerful and featureful tool that generates advanced web server graphic statistics. This server log analyzer works from command line or as a CGI and shows you all information your log contai ns, in graphical web pages. It can analyze a lot of web/wap/proxy servers like Apache, IIS, Weblogic, Webstar, Squid, ... but also mail or ftp servers. This program can measure visits, unique vistors, authenticated users, pages, domains/countries, OS busiest times, robot visits, type of files, search engines/keywords used, visits duration, HTTP errors and more... Statistics can be updated from a browser or your scheduler. The program also supports virtual servers, plugins and a lot of features. With the default configuration, the statistics are available: http://localhost/awstats/awstats.pl ", "modified": "2008-09-10T07:05:39", "published": "2008-09-10T07:05:39", "id": "FEDORA:934BE2E0049", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 8 Update: awstats-6.8-2.fc8", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-3714"], "description": "Advanced Web Statistics is a powerful and featureful tool that generates advanced web server graphic statistics. This server log analyzer works from command line or as a CGI and shows you all information your log contai ns, in graphical web pages. It can analyze a lot of web/wap/proxy servers like Apache, IIS, Weblogic, Webstar, Squid, ... but also mail or ftp servers. This program can measure visits, unique vistors, authenticated users, pages, domains/countries, OS busiest times, robot visits, type of files, search engines/keywords used, visits duration, HTTP errors and more... Statistics can be updated from a browser or your scheduler. The program also supports virtual servers, plugins and a lot of features. With the default configuration, the statistics are available: http://localhost/awstats/awstats.pl ", "modified": "2008-09-10T06:38:00", "published": "2008-09-10T06:38:00", "id": "FEDORA:24148208DA9", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 9 Update: awstats-6.8-2.fc9", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-3714"], "description": "Advanced Web Statistics is a powerful and featureful tool that generates advanced web server graphic statistics. This server log analyzer works from command line or as a CGI and shows you all information your log contai ns, in graphical web pages. It can analyze a lot of web/wap/proxy servers like Apache, IIS, Weblogic, Webstar, Squid, ... but also mail or ftp servers. This program can measure visits, unique vistors, authenticated users, pages, domains/countries, OS busiest times, robot visits, type of files, search engines/keywords used, visits duration, HTTP errors and more... Statistics can be updated from a browser or your scheduler. The program also supports virtual servers, plugins and a lot of features. With the default configuration, the statistics are available: http://localhost/awstats/awstats.pl ", "modified": "2009-12-01T04:44:02", "published": "2009-12-01T04:44:02", "id": "FEDORA:335D710F88E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 10 Update: awstats-6.95-1.fc10", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-3714", "CVE-2008-5080"], "description": "Advanced Web Statistics is a powerful and featureful tool that generates advanced web server graphic statistics. This server log analyzer works from command line or as a CGI and shows you all information your log contai ns, in graphical web pages. It can analyze a lot of web/wap/proxy servers like Apache, IIS, Weblogic, Webstar, Squid, ... but also mail or ftp servers. This program can measure visits, unique vistors, authenticated users, pages, domains/countries, OS busiest times, robot visits, type of files, search engines/keywords used, visits duration, HTTP errors and more... Statistics can be updated from a browser or your scheduler. The program also supports virtual servers, plugins and a lot of features. With the default configuration, the statistics are available: http://localhost/awstats/awstats.pl ", "modified": "2008-12-08T13:03:12", "published": "2008-12-08T13:03:12", "id": "FEDORA:1E0212086F7", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 8 Update: awstats-6.8-3.fc8", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-3714", "CVE-2008-5080"], "description": "Advanced Web Statistics is a powerful and featureful tool that generates advanced web server graphic statistics. This server log analyzer works from command line or as a CGI and shows you all information your log contai ns, in graphical web pages. It can analyze a lot of web/wap/proxy servers like Apache, IIS, Weblogic, Webstar, Squid, ... but also mail or ftp servers. This program can measure visits, unique vistors, authenticated users, pages, domains/countries, OS busiest times, robot visits, type of files, search engines/keywords used, visits duration, HTTP errors and more... Statistics can be updated from a browser or your scheduler. The program also supports virtual servers, plugins and a lot of features. With the default configuration, the statistics are available: http://localhost/awstats/awstats.pl ", "modified": "2008-12-08T13:06:27", "published": "2008-12-08T13:06:27", "id": "FEDORA:0D39420896E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 9 Update: awstats-6.8-3.fc9", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2008-3714", "CVE-2008-5080"], "description": "Advanced Web Statistics is a powerful and featureful tool that generates advanced web server graphic statistics. This server log analyzer works from command line or as a CGI and shows you all information your log contai ns, in graphical web pages. It can analyze a lot of web/wap/proxy servers like Apache, IIS, Weblogic, Webstar, Squid, ... but also mail or ftp servers. This program can measure visits, unique vistors, authenticated users, pages, domains/countries, OS busiest times, robot visits, type of files, search engines/keywords used, visits duration, HTTP errors and more... Statistics can be updated from a browser or your scheduler. The program also supports virtual servers, plugins and a lot of features. With the default configuration, the statistics are available: http://localhost/awstats/awstats.pl ", "modified": "2008-12-08T13:04:52", "published": "2008-12-08T13:04:52", "id": "FEDORA:373F9208D5A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 10 Update: awstats-6.8-3.fc10", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2021-01-06T09:45:10", "description": "Morgan Todd discovered a cross-site scripting vulnerability in\nawstats, a log file analyzer, involving the 'config' request parameter\n(and possibly others; CVE-2008-3714 ).", "edition": 26, "published": "2008-12-04T00:00:00", "title": "Debian DSA-1679-1 : awstats - XSS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-3714"], "modified": "2008-12-04T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:4.0", "p-cpe:/a:debian:debian_linux:awstats"], "id": "DEBIAN_DSA-1679.NASL", "href": "https://www.tenable.com/plugins/nessus/35032", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1679. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(35032);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2008-3714\");\n script_xref(name:\"DSA\", value:\"1679\");\n\n script_name(english:\"Debian DSA-1679-1 : awstats - XSS\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Morgan Todd discovered a cross-site scripting vulnerability in\nawstats, a log file analyzer, involving the 'config' request parameter\n(and possibly others; CVE-2008-3714 ).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2008-3714\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2008/dsa-1679\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the awstats package.\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 6.5+dfsg-1+etch1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:awstats\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:4.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/12/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"4.0\", prefix:\"awstats\", reference:\"6.5+dfsg-1+etch1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T10:06:39", "description": "Add upstream patch for CVE-2008-3714\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2008-09-10T00:00:00", "title": "Fedora 8 : awstats-6.8-2.fc8 (2008-7684)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-3714"], "modified": "2008-09-10T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:8", "p-cpe:/a:fedoraproject:fedora:awstats"], "id": "FEDORA_2008-7684.NASL", "href": "https://www.tenable.com/plugins/nessus/34144", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-7684.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(34144);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-3714\");\n script_bugtraq_id(30730);\n script_xref(name:\"FEDORA\", value:\"2008-7684\");\n\n script_name(english:\"Fedora 8 : awstats-6.8-2.fc8 (2008-7684)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Add upstream patch for CVE-2008-3714\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=459605\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-September/013886.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d4dd3982\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected awstats package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:awstats\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:8\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/09/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/09/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 8.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC8\", reference:\"awstats-6.8-2.fc8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"awstats\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T10:06:39", "description": "Add upstream patch for CVE-2008-3714\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2008-09-10T00:00:00", "title": "Fedora 9 : awstats-6.8-2.fc9 (2008-7663)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-3714"], "modified": "2008-09-10T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:9", "p-cpe:/a:fedoraproject:fedora:awstats"], "id": "FEDORA_2008-7663.NASL", "href": "https://www.tenable.com/plugins/nessus/34140", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-7663.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(34140);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-3714\");\n script_bugtraq_id(30730);\n script_xref(name:\"FEDORA\", value:\"2008-7663\");\n\n script_name(english:\"Fedora 9 : awstats-6.8-2.fc9 (2008-7663)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Add upstream patch for CVE-2008-3714\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=459605\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-September/013638.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0aeae77f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected awstats package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:awstats\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:9\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/09/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/09/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 9.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC9\", reference:\"awstats-6.8-2.fc9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"awstats\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-07T10:40:45", "description": "Secunia reports :\n\nMorgan Todd has discovered a vulnerability in AWStats, which can be\nexploited by malicious people to conduct cross-site scripting attacks.\n\nInput passed in the URL to awstats.pl is not properly sanitised before\nbeing returned to the user. This can be exploited to execute arbitrary\nHTML and script code in a user's browser session in context of an\naffected site.\n\nSuccessful exploitation requires that the application is running as a\nCGI script.", "edition": 26, "published": "2009-01-05T00:00:00", "title": "FreeBSD : awstats -- multiple XSS vulnerabilities (27d78386-d35f-11dd-b800-001b77d09812)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5080", "CVE-2008-3714"], "modified": "2009-01-05T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:awstats-devel", "p-cpe:/a:freebsd:freebsd:awstats"], "id": "FREEBSD_PKG_27D78386D35F11DDB800001B77D09812.NASL", "href": "https://www.tenable.com/plugins/nessus/35290", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(35290);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2008-3714\", \"CVE-2008-5080\");\n script_xref(name:\"Secunia\", value:\"31519\");\n\n script_name(english:\"FreeBSD : awstats -- multiple XSS vulnerabilities (27d78386-d35f-11dd-b800-001b77d09812)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Secunia reports :\n\nMorgan Todd has discovered a vulnerability in AWStats, which can be\nexploited by malicious people to conduct cross-site scripting attacks.\n\nInput passed in the URL to awstats.pl is not properly sanitised before\nbeing returned to the user. This can be exploited to execute arbitrary\nHTML and script code in a user's browser session in context of an\naffected site.\n\nSuccessful exploitation requires that the application is running as a\nCGI script.\"\n );\n # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432\"\n );\n # https://vuxml.freebsd.org/freebsd/27d78386-d35f-11dd-b800-001b77d09812.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?61687de8\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:awstats\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:awstats-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/03/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/01/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/01/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"awstats<6.9,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"awstats-devel>0\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T10:06:20", "description": "Use Debian's patch for CVE-2008-3714 (rh#474396)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2008-12-09T00:00:00", "title": "Fedora 9 : awstats-6.8-3.fc9 (2008-10962)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5080", "CVE-2008-3714"], "modified": "2008-12-09T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:9", "p-cpe:/a:fedoraproject:fedora:awstats"], "id": "FEDORA_2008-10962.NASL", "href": "https://www.tenable.com/plugins/nessus/35065", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-10962.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(35065);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-3714\", \"CVE-2008-5080\");\n script_xref(name:\"FEDORA\", value:\"2008-10962\");\n\n script_name(english:\"Fedora 9 : awstats-6.8-3.fc9 (2008-10962)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Use Debian's patch for CVE-2008-3714 (rh#474396)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=474396\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-December/017419.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5f5a281c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected awstats package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:awstats\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:9\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/12/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 9.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC9\", reference:\"awstats-6.8-3.fc9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"awstats\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T10:06:20", "description": "Use Debian's patch for CVE-2008-3714 (rh#474396)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2008-12-09T00:00:00", "title": "Fedora 8 : awstats-6.8-3.fc8 (2008-10938)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5080", "CVE-2008-3714"], "modified": "2008-12-09T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:8", "p-cpe:/a:fedoraproject:fedora:awstats"], "id": "FEDORA_2008-10938.NASL", "href": "https://www.tenable.com/plugins/nessus/35063", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-10938.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(35063);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-3714\", \"CVE-2008-5080\");\n script_xref(name:\"FEDORA\", value:\"2008-10938\");\n\n script_name(english:\"Fedora 8 : awstats-6.8-3.fc8 (2008-10938)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Use Debian's patch for CVE-2008-3714 (rh#474396)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=474396\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-December/017390.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?988f92ef\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected awstats package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:awstats\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:8\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/12/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 8.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC8\", reference:\"awstats-6.8-3.fc8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"awstats\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T10:06:20", "description": "Use Debian's patch for CVE-2008-3714 (rh#474396)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2009-04-23T00:00:00", "title": "Fedora 10 : awstats-6.8-3.fc10 (2008-10950)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5080", "CVE-2008-3714"], "modified": "2009-04-23T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:10", "p-cpe:/a:fedoraproject:fedora:awstats"], "id": "FEDORA_2008-10950.NASL", "href": "https://www.tenable.com/plugins/nessus/36742", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-10950.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(36742);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2008-3714\", \"CVE-2008-5080\");\n script_xref(name:\"FEDORA\", value:\"2008-10950\");\n\n script_name(english:\"Fedora 10 : awstats-6.8-3.fc10 (2008-10950)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Use Debian's patch for CVE-2008-3714 (rh#474396)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=474396\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-December/017405.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2c824862\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected awstats package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:awstats\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^10([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 10.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC10\", reference:\"awstats-6.8-3.fc10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"awstats\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-20T15:44:20", "description": "Morgan Todd discovered that AWStats did not correctly strip quotes\nfrom certain parameters, allowing for an XSS attack when running as a\nCGI. If a user was tricked by a remote attacker into following a\nspecially crafted URL, the user's authentication information could be\nexposed for the domain where AWStats was hosted.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 27, "published": "2009-04-23T00:00:00", "title": "Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : awstats vulnerability (USN-686-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5080", "CVE-2008-3714"], "modified": "2009-04-23T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:7.10", "p-cpe:/a:canonical:ubuntu_linux:awstats", "cpe:/o:canonical:ubuntu_linux:8.04:-:lts", "cpe:/o:canonical:ubuntu_linux:8.10", "cpe:/o:canonical:ubuntu_linux:6.06:-:lts"], "id": "UBUNTU_USN-686-1.NASL", "href": "https://www.tenable.com/plugins/nessus/36652", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-686-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(36652);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2008-3714\", \"CVE-2008-5080\");\n script_bugtraq_id(30730);\n script_xref(name:\"USN\", value:\"686-1\");\n\n script_name(english:\"Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : awstats vulnerability (USN-686-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Morgan Todd discovered that AWStats did not correctly strip quotes\nfrom certain parameters, allowing for an XSS attack when running as a\nCGI. If a user was tricked by a remote attacker into following a\nspecially crafted URL, the user's authentication information could be\nexposed for the domain where AWStats was hosted.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/686-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected awstats package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:awstats\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:6.06:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:7.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(6\\.06|7\\.10|8\\.04|8\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 6.06 / 7.10 / 8.04 / 8.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"6.06\", pkgname:\"awstats\", pkgver:\"6.5-1ubuntu1.3\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"awstats\", pkgver:\"6.6+dfsg-1ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"awstats\", pkgver:\"6.7.dfsg-1ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"awstats\", pkgver:\"6.7.dfsg-5ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"awstats\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2017-07-24T12:49:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-3714"], "description": "The remote host is missing an update to awstats\nannounced via advisory DSA 1679-1.", "modified": "2017-07-07T00:00:00", "published": "2008-12-10T00:00:00", "id": "OPENVAS:62841", "href": "http://plugins.openvas.org/nasl.php?oid=62841", "type": "openvas", "title": "Debian Security Advisory DSA 1679-1 (awstats)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1679_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1679-1 (awstats)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Morgan Todd discovered a cross-site scripting vulnerability in awstats,\na log file analyzer, involving the config request parameter (and\npossibly others; CVE-2008-3714).\n\nFor the stable distribution (etch), this problem has been fixed in version\n6.5+dfsg-1+etch1.\n\nThe unstable (sid) and testing (lenny) distribution will be fixed soon.\n\nWe recommend that you upgrade your awstats package.\";\ntag_summary = \"The remote host is missing an update to awstats\nannounced via advisory DSA 1679-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201679-1\";\n\n\nif(description)\n{\n script_id(62841);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-12-10 05:23:56 +0100 (Wed, 10 Dec 2008)\");\n script_cve_id(\"CVE-2008-3714\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Debian Security Advisory DSA 1679-1 (awstats)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"awstats\", ver:\"6.5+dfsg-1+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-12-04T11:28:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-3714"], "description": "Ubuntu Update for Linux kernel vulnerabilities USN-686-1", "modified": "2017-12-01T00:00:00", "published": "2009-03-23T00:00:00", "id": "OPENVAS:840194", "href": "http://plugins.openvas.org/nasl.php?oid=840194", "type": "openvas", "title": "Ubuntu Update for awstats vulnerability USN-686-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_686_1.nasl 7969 2017-12-01 09:23:16Z santu $\n#\n# Ubuntu Update for awstats vulnerability USN-686-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Morgan Todd discovered that AWStats did not correctly strip quotes from\n certain parameters, allowing for an XSS attack when running as a CGI.\n If a user was tricked by a remote attacker into following a specially\n crafted URL, the user's authentication information could be exposed for\n the domain where AWStats was hosted.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-686-1\";\ntag_affected = \"awstats vulnerability on Ubuntu 6.06 LTS ,\n Ubuntu 7.10 ,\n Ubuntu 8.04 LTS ,\n Ubuntu 8.10\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-686-1/\");\n script_id(840194);\n script_version(\"$Revision: 7969 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 10:23:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-23 10:59:50 +0100 (Mon, 23 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"USN\", value: \"686-1\");\n script_cve_id(\"CVE-2008-3714\");\n script_name( \"Ubuntu Update for awstats vulnerability USN-686-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU6.06 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"awstats\", ver:\"6.5-1ubuntu1.3\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"awstats\", ver:\"6.7.dfsg-5ubuntu0.1\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"awstats\", ver:\"6.7.dfsg-1ubuntu0.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU7.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"awstats\", ver:\"6.6+dfsg-1ubuntu0.1\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-3714"], "description": "Check for the Version of awstats", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "id": "OPENVAS:860678", "href": "http://plugins.openvas.org/nasl.php?oid=860678", "type": "openvas", "title": "Fedora Update for awstats FEDORA-2008-7663", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for awstats FEDORA-2008-7663\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Advanced Web Statistics is a powerful and featureful tool that generates\n advanced web server graphic statistics. This server log analyzer works\n from command line or as a CGI and shows you all information your log contains,\n in graphical web pages. It can analyze a lot of web/wap/proxy servers like\n Apache, IIS, Weblogic, Webstar, Squid, ... but also mail or ftp servers.\n\n This program can measure visits, unique visitors, authenticated users, pages,\n domains/countries, OS busiest times, robot visits, type of files, search\n engines/keywords used, visits duration, HTTP errors and more...\n Statistics can be updated from a browser or your scheduler.\n The program also supports virtual servers, plugins and a lot of features.\n \n With the default configuration, the statistics are available:\n <a rel= &qt nofollow &qt href= &qt http://localhost/awstats/awstats.pl &qt >http://localhost/awstats/awstats.pl</a>\";\n\ntag_affected = \"awstats on Fedora 9\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00107.html\");\n script_id(860678);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 17:03:12 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2008-7663\");\n script_cve_id(\"CVE-2008-3714\");\n script_name( \"Fedora Update for awstats FEDORA-2008-7663\");\n\n script_summary(\"Check for the Version of awstats\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC9\")\n{\n\n if ((res = isrpmvuln(pkg:\"awstats\", rpm:\"awstats~6.8~2.fc9\", rls:\"FC9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-04-06T11:37:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-3714"], "description": "The remote host is missing an update to awstats\nannounced via advisory FEDORA-2009-12444.", "modified": "2018-04-06T00:00:00", "published": "2009-12-10T00:00:00", "id": "OPENVAS:136141256231066432", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066432", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-12444 (awstats)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_12444.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-12444 (awstats)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\n- Fix security in awredir.pl by adding a security key required by default.\n- Enhance security of parameter sanitizing function.\n\nChangeLog:\n\n* Thu Nov 26 2009 Aurelien Bompard - 6.95-1\n- version 6.95 (security fix)\n- drop patch0\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update awstats' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-12444\";\ntag_summary = \"The remote host is missing an update to awstats\nannounced via advisory FEDORA-2009-12444.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66432\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-12-10 00:23:54 +0100 (Thu, 10 Dec 2009)\");\n script_cve_id(\"CVE-2008-3714\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Fedora Core 10 FEDORA-2009-12444 (awstats)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"awstats\", rpm:\"awstats~6.95~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-3714"], "description": "Check for the Version of awstats", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "id": "OPENVAS:860134", "href": "http://plugins.openvas.org/nasl.php?oid=860134", "type": "openvas", "title": "Fedora Update for awstats FEDORA-2008-7684", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for awstats FEDORA-2008-7684\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Advanced Web Statistics is a powerful and featureful tool that generates\n advanced web server graphic statistics. This server log analyzer works\n from command line or as a CGI and shows you all information your log contains,\n in graphical web pages. It can analyze a lot of web/wap/proxy servers like\n Apache, IIS, Weblogic, Webstar, Squid, ... but also mail or ftp servers.\n\n This program can measure visits, unique visitors, authenticated users, pages,\n domains/countries, OS busiest times, robot visits, type of files, search\n engines/keywords used, visits duration, HTTP errors and more...\n Statistics can be updated from a browser or your scheduler.\n The program also supports virtual servers, plugins and a lot of features.\n \n With the default configuration, the statistics are available:\n <a rel= &qt nofollow &qt href= &qt http://localhost/awstats/awstats.pl &qt >http://localhost/awstats/awstats.pl</a>\";\n\ntag_affected = \"awstats on Fedora 8\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00355.html\");\n script_id(860134);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 17:03:12 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2008-7684\");\n script_cve_id(\"CVE-2008-3714\");\n script_name( \"Fedora Update for awstats FEDORA-2008-7684\");\n\n script_summary(\"Check for the Version of awstats\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC8\")\n{\n\n if ((res = isrpmvuln(pkg:\"awstats\", rpm:\"awstats~6.8~2.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:55:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5080", "CVE-2008-3714"], "description": "Check for the Version of awstats", "modified": "2017-07-10T00:00:00", "published": "2009-02-16T00:00:00", "id": "OPENVAS:860477", "href": "http://plugins.openvas.org/nasl.php?oid=860477", "type": "openvas", "title": "Fedora Update for awstats FEDORA-2008-10950", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for awstats FEDORA-2008-10950\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Advanced Web Statistics is a powerful and featureful tool that generates\n advanced web server graphic statistics. This server log analyzer works\n from command line or as a CGI and shows you all information your log contains,\n in graphical web pages. It can analyze a lot of web/wap/proxy servers like\n Apache, IIS, Weblogic, Webstar, Squid, ... but also mail or ftp servers.\n\n This program can measure visits, unique visitors, authenticated users, pages,\n domains/countries, OS busiest times, robot visits, type of files, search\n engines/keywords used, visits duration, HTTP errors and more...\n Statistics can be updated from a browser or your scheduler.\n The program also supports virtual servers, plugins and a lot of features.\n \n With the default configuration, the statistics are available:\n <a rel= &qt nofollow &qt href= &qt http://localhost/awstats/awstats.pl &qt >http://localhost/awstats/awstats.pl</a>\";\n\ntag_affected = \"awstats on Fedora 10\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00495.html\");\n script_id(860477);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-16 14:16:57 +0100 (Mon, 16 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2008-10950\");\n script_cve_id(\"CVE-2008-3714\", \"CVE-2008-5080\");\n script_name( \"Fedora Update for awstats FEDORA-2008-10950\");\n\n script_summary(\"Check for the Version of awstats\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC10\")\n{\n\n if ((res = isrpmvuln(pkg:\"awstats\", rpm:\"awstats~6.8~3.fc10\", rls:\"FC10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5080", "CVE-2008-3714"], "description": "Check for the Version of awstats", "modified": "2017-07-10T00:00:00", "published": "2009-02-16T00:00:00", "id": "OPENVAS:860063", "href": "http://plugins.openvas.org/nasl.php?oid=860063", "type": "openvas", "title": "Fedora Update for awstats FEDORA-2008-10938", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for awstats FEDORA-2008-10938\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Advanced Web Statistics is a powerful and featureful tool that generates\n advanced web server graphic statistics. This server log analyzer works\n from command line or as a CGI and shows you all information your log contains,\n in graphical web pages. It can analyze a lot of web/wap/proxy servers like\n Apache, IIS, Weblogic, Webstar, Squid, ... but also mail or ftp servers.\n\n This program can measure visits, unique visitors, authenticated users, pages,\n domains/countries, OS busiest times, robot visits, type of files, search\n engines/keywords used, visits duration, HTTP errors and more...\n Statistics can be updated from a browser or your scheduler.\n The program also supports virtual servers, plugins and a lot of features.\n \n With the default configuration, the statistics are available:\n <a rel= &qt nofollow &qt href= &qt http://localhost/awstats/awstats.pl &qt >http://localhost/awstats/awstats.pl</a>\";\n\ntag_affected = \"awstats on Fedora 8\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00480.html\");\n script_id(860063);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-16 14:16:57 +0100 (Mon, 16 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2008-10938\");\n script_cve_id(\"CVE-2008-3714\", \"CVE-2008-5080\");\n script_name( \"Fedora Update for awstats FEDORA-2008-10938\");\n\n script_summary(\"Check for the Version of awstats\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC8\")\n{\n\n if ((res = isrpmvuln(pkg:\"awstats\", rpm:\"awstats~6.8~3.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5080", "CVE-2008-3714"], "description": "Check for the Version of awstats", "modified": "2017-07-10T00:00:00", "published": "2009-02-16T00:00:00", "id": "OPENVAS:860702", "href": "http://plugins.openvas.org/nasl.php?oid=860702", "type": "openvas", "title": "Fedora Update for awstats FEDORA-2008-10962", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for awstats FEDORA-2008-10962\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Advanced Web Statistics is a powerful and featureful tool that generates\n advanced web server graphic statistics. This server log analyzer works\n from command line or as a CGI and shows you all information your log contains,\n in graphical web pages. It can analyze a lot of web/wap/proxy servers like\n Apache, IIS, Weblogic, Webstar, Squid, ... but also mail or ftp servers.\n\n This program can measure visits, unique visitors, authenticated users, pages,\n domains/countries, OS busiest times, robot visits, type of files, search\n engines/keywords used, visits duration, HTTP errors and more...\n Statistics can be updated from a browser or your scheduler.\n The program also supports virtual servers, plugins and a lot of features.\n \n With the default configuration, the statistics are available:\n <a rel= &qt nofollow &qt href= &qt http://localhost/awstats/awstats.pl &qt >http://localhost/awstats/awstats.pl</a>\";\n\ntag_affected = \"awstats on Fedora 9\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00509.html\");\n script_id(860702);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-16 14:16:57 +0100 (Mon, 16 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2008-10962\");\n script_cve_id(\"CVE-2008-3714\", \"CVE-2008-5080\");\n script_name( \"Fedora Update for awstats FEDORA-2008-10962\");\n\n script_summary(\"Check for the Version of awstats\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC9\")\n{\n\n if ((res = isrpmvuln(pkg:\"awstats\", rpm:\"awstats~6.8~3.fc9\", rls:\"FC9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-24T12:56:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5080", "CVE-2008-3714"], "description": "The remote host is missing an update to awstats\nannounced via advisory MDVSA-2009:266.", "modified": "2017-07-07T00:00:00", "published": "2009-10-19T00:00:00", "id": "OPENVAS:66022", "href": "http://plugins.openvas.org/nasl.php?oid=66022", "type": "openvas", "title": "Mandrake Security Advisory MDVSA-2009:266 (awstats)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mdksa_2009_266.nasl 6587 2017-07-07 06:35:35Z cfischer $\n# Description: Auto-generated from advisory MDVSA-2009:266 (awstats)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been found and corrected in awstats:\n\nawstats.pl in AWStats 6.8 and earlier does not properly remove quote\ncharacters, which allows remote attackers to conduct cross-site\nscripting (XSS) attacks via the query_string parameter. NOTE:\nthis issue exists because of an incomplete fix for CVE-2008-3714\n(CVE-2008-5080).\n\nThis update fixes this vulnerability.\n\nAffected: Corporate 4.0, Enterprise Server 5.0\";\ntag_solution = \"To upgrade automatically use MandrakeUpdate or urpmi. The verification\nof md5 checksums and GPG signatures is performed automatically for you.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:266\";\ntag_summary = \"The remote host is missing an update to awstats\nannounced via advisory MDVSA-2009:266.\";\n\n \n\nif(description)\n{\n script_id(66022);\n script_version(\"$Revision: 6587 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 08:35:35 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-19 21:50:22 +0200 (Mon, 19 Oct 2009)\");\n script_cve_id(\"CVE-2008-3714\", \"CVE-2008-5080\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Mandrake Security Advisory MDVSA-2009:266 (awstats)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"awstats\", rpm:\"awstats~6.4~4.2.20060mlcs4\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"awstats\", rpm:\"awstats~6.8~1.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-04-06T11:39:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5080", "CVE-2008-3714"], "description": "The remote host is missing an update to awstats\nannounced via advisory MDVSA-2009:266.", "modified": "2018-04-06T00:00:00", "published": "2009-10-19T00:00:00", "id": "OPENVAS:136141256231066022", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066022", "type": "openvas", "title": "Mandrake Security Advisory MDVSA-2009:266 (awstats)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mdksa_2009_266.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory MDVSA-2009:266 (awstats)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been found and corrected in awstats:\n\nawstats.pl in AWStats 6.8 and earlier does not properly remove quote\ncharacters, which allows remote attackers to conduct cross-site\nscripting (XSS) attacks via the query_string parameter. NOTE:\nthis issue exists because of an incomplete fix for CVE-2008-3714\n(CVE-2008-5080).\n\nThis update fixes this vulnerability.\n\nAffected: Corporate 4.0, Enterprise Server 5.0\";\ntag_solution = \"To upgrade automatically use MandrakeUpdate or urpmi. The verification\nof md5 checksums and GPG signatures is performed automatically for you.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:266\";\ntag_summary = \"The remote host is missing an update to awstats\nannounced via advisory MDVSA-2009:266.\";\n\n \n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66022\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-19 21:50:22 +0200 (Mon, 19 Oct 2009)\");\n script_cve_id(\"CVE-2008-3714\", \"CVE-2008-5080\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Mandrake Security Advisory MDVSA-2009:266 (awstats)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"awstats\", rpm:\"awstats~6.4~4.2.20060mlcs4\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"awstats\", rpm:\"awstats~6.8~1.1mdvmes5\", rls:\"MNDK_mes5\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "seebug": [{"lastseen": "2017-11-19T21:19:51", "description": "BUGTRAQ ID: 30730\r\nCVE(CAN) ID: CVE-2008-3714\r\n\r\nAWStats\u662f\u4e00\u6b3e\u6d41\u884c\u7684\u57fa\u4e8eWeb\u7684\u7f51\u7ad9\u6d41\u91cf\u5206\u6790\u8f6f\u4ef6\u3002\r\n\r\nAWStats\u7684awstats.pl\u811a\u672c\u6ca1\u6709\u6b63\u786e\u5730\u8fc7\u6ee4config\u8bf7\u6c42\u53c2\u6570\uff0c\u5982\u679c\u7528\u6237\u8ddf\u968f\u4e86\u6076\u610f\u94fe\u63a5\u7684\u8bdd\u5c31\u53ef\u80fd\u5bfc\u81f4\u5728\u6d4f\u89c8\u5668\u4f1a\u8bdd\u4e2d\u6ce8\u5165\u5e76\u6267\u884c\u4efb\u610fweb\u811a\u672c\u6216HTML\u4ee3\u7801\u3002\n\nAWStats 6.8\n Debian\r\n------\r\nDebian\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08DSA-1679-1\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nDSA-1679-1\uff1aNew awstats packages fix cross-site scripting\r\n\u94fe\u63a5\uff1a<a href=http://www.debian.org/security/2008/dsa-1679 target=_blank>http://www.debian.org/security/2008/dsa-1679</a>\r\n\r\n\u8865\u4e01\u4e0b\u8f7d\uff1a\r\n\r\nSource archives:\r\n\r\n<a href=http://security.debian.org/pool/updates/main/a/awstats/awstats_6.5+dfsg-1+etch1.diff.gz target=_blank>http://security.debian.org/pool/updates/main/a/awstats/awstats_6.5+dfsg-1+etch1.diff.gz</a>\r\nSize/MD5 checksum: 20369 bbe38406f0402fd5b7be2d0a427223c8\r\n<a href=http://security.debian.org/pool/updates/main/a/awstats/awstats_6.5+dfsg-1+etch1.dsc target=_blank>http://security.debian.org/pool/updates/main/a/awstats/awstats_6.5+dfsg-1+etch1.dsc</a>\r\nSize/MD5 checksum: 1079 2fd97dfcfcbf48cbe0e4a1a431cb43bd\r\n<a href=http://security.debian.org/pool/updates/main/a/awstats/awstats_6.5+dfsg.orig.tar.gz target=_blank>http://security.debian.org/pool/updates/main/a/awstats/awstats_6.5+dfsg.orig.tar.gz</a>\r\nSize/MD5 checksum: 1041837 af6cbfbf470eb45f5238501813d6d1c6\r\n\r\nArchitecture independent packages:\r\n\r\n<a href=http://security.debian.org/pool/updates/main/a/awstats/awstats_6.5+dfsg-1+etch1_all.deb target=_blank>http://security.debian.org/pool/updates/main/a/awstats/awstats_6.5+dfsg-1+etch1_all.deb</a>\r\nSize/MD5 checksum: 837326 878a4f0ab2ccb36c324c0c171a6a39b5\r\n\r\n\u8865\u4e01\u5b89\u88c5\u65b9\u6cd5\uff1a\r\n\r\n1. \u624b\u5de5\u5b89\u88c5\u8865\u4e01\u5305\uff1a\r\n\r\n \u9996\u5148\uff0c\u4f7f\u7528\u4e0b\u9762\u7684\u547d\u4ee4\u6765\u4e0b\u8f7d\u8865\u4e01\u8f6f\u4ef6\uff1a\r\n # wget url (url\u662f\u8865\u4e01\u4e0b\u8f7d\u94fe\u63a5\u5730\u5740)\r\n\r\n \u7136\u540e\uff0c\u4f7f\u7528\u4e0b\u9762\u7684\u547d\u4ee4\u6765\u5b89\u88c5\u8865\u4e01\uff1a \r\n # dpkg -i file.deb (file\u662f\u76f8\u5e94\u7684\u8865\u4e01\u540d)\r\n\r\n2. \u4f7f\u7528apt-get\u81ea\u52a8\u5b89\u88c5\u8865\u4e01\u5305\uff1a\r\n\r\n \u9996\u5148\uff0c\u4f7f\u7528\u4e0b\u9762\u7684\u547d\u4ee4\u66f4\u65b0\u5185\u90e8\u6570\u636e\u5e93\uff1a\r\n # apt-get update\r\n \r\n \u7136\u540e\uff0c\u4f7f\u7528\u4e0b\u9762\u7684\u547d\u4ee4\u5b89\u88c5\u66f4\u65b0\u8f6f\u4ef6\u5305\uff1a\r\n # apt-get upgrade", "published": "2008-12-05T00:00:00", "title": "AWStats awstats.pl\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-3714"], "modified": "2008-12-05T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-4521", "id": "SSV:4521", "sourceData": "\n http://www.example.com/awstats/awstats.pl?config=www.example.com&%22onload=%22alert(document.domain)//\n ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-4521"}], "exploitdb": [{"lastseen": "2016-02-03T16:34:01", "description": "AWStats 6.8 'awstats.pl' Cross-Site Scripting Vulnerability. CVE-2008-3714. Webapps exploit for cgi platform", "published": "2008-08-18T00:00:00", "type": "exploitdb", "title": "AWStats 6.8 - 'awstats.pl' Cross-Site Scripting Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-3714"], "modified": "2008-08-18T00:00:00", "id": "EDB-ID:32258", "href": "https://www.exploit-db.com/exploits/32258/", "sourceData": "source: http://www.securityfocus.com/bid/30730/info\r\n\r\nAWStats is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.\r\n\r\nAn attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.\r\n\r\nAWStats 6.8 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/awstats/awstats.pl?config=www.example.com&%22onload=%22alert(document.domain)// ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/32258/"}], "ubuntu": [{"lastseen": "2020-07-09T00:23:12", "bulletinFamily": "unix", "cvelist": ["CVE-2008-5080", "CVE-2008-3714"], "description": "Morgan Todd discovered that AWStats did not correctly strip quotes from \ncertain parameters, allowing for an XSS attack when running as a CGI. \nIf a user was tricked by a remote attacker into following a specially \ncrafted URL, the user's authentication information could be exposed for \nthe domain where AWStats was hosted.", "edition": 5, "modified": "2008-12-04T00:00:00", "published": "2008-12-04T00:00:00", "id": "USN-686-1", "href": "https://ubuntu.com/security/notices/USN-686-1", "title": "AWStats vulnerability", "type": "ubuntu", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:19", "bulletinFamily": "unix", "cvelist": ["CVE-2008-5080", "CVE-2008-3714"], "description": "\nSecunia reports:\n\nMorgan Todd has discovered a vulnerability in AWStats,\n\t which can be exploited by malicious people to conduct\n\t cross-site scripting attacks.\nInput passed in the URL to awstats.pl is not properly\n\t sanitised before being returned to the user. This can be\n\t exploited to execute arbitrary HTML and script code in a\n\t user's browser session in context of an affected site.\nSuccessful exploitation requires that the application is\n\t running as a CGI script.\n\n", "edition": 4, "modified": "2008-03-12T00:00:00", "published": "2008-03-12T00:00:00", "id": "27D78386-D35F-11DD-B800-001B77D09812", "href": "https://vuxml.freebsd.org/freebsd/27d78386-d35f-11dd-b800-001b77d09812.html", "title": "awstats -- multiple XSS vulnerabilities", "type": "freebsd", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:30", "bulletinFamily": "software", "cvelist": ["CVE-2008-3197", "CVE-2008-3661", "CVE-2008-3332", "CVE-2008-3663", "CVE-2008-4688", "CVE-2008-3098", "CVE-2008-3331", "CVE-2008-3102", "CVE-2008-4687", "CVE-2008-2276", "CVE-2008-4689", "CVE-2008-3333", "CVE-2008-3457", "CVE-2008-4096", "CVE-2008-3714", "CVE-2008-3456"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2008-09-24T00:00:00", "published": "2008-09-24T00:00:00", "id": "SECURITYVULNS:VULN:9305", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9305", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
