Referenced CVEs:
CVE-2008-3714
Description:
===========================================================Ubuntu Security Notice USN-686-1 December 04, 2008awstats vulnerabilityCVE-2008-3714===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.10Ubuntu 8.04 LTSUbuntu 8.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: awstats 6.5-1ubuntu1.3Ubuntu 7.10: awstats 6.6+dfsg-1ubuntu0.1Ubuntu 8.04 LTS: awstats 6.7.dfsg-1ubuntu0.1Ubuntu 8.10: awstats 6.7.dfsg-5ubuntu0.1In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:Morgan Todd discovered that AWStats did not correctly strip quotes fromcertain parameters, allowing for an XSS attack when running as a CGI.If a user was tricked by a remote attacker into following a speciallycrafted URL, the user's authentication information could be exposed forthe domain where AWStats was hosted.