Ubuntu Local Security Checks : Ubuntu USN-360-1 (awstats)

Vulnerability Search		Search 324607 CVE descriptions and 146377 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.57514

Category: Ubuntu Local Security Checks

Title: Ubuntu USN-360-1 (awstats)

Summary: NOSUMMARY

Description: Description:

The remote host is missing an update to awstats
announced via advisory USN-360-1.

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

awstats did not fully sanitize input, which was passed directly to the user's
browser, allowing for an XSS attack. If a user was tricked into following a
specially crafted awstats URL, the user's authentication information could be
exposed for the domain where awstats was hosted. (CVE-2006-3681)

awstats could display its installation path under certain conditions.
However, this might only become a concern if awstats is installed into
an user's home directory. (CVE-2006-3682)

Solution:
The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
awstats 6.3-1ubuntu0.4

Ubuntu 5.10:
awstats 6.4-1ubuntu1.3

Ubuntu 6.06 LTS:
awstats 6.5-1ubuntu1.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

http://www.securityspace.com/smysecure/catid.html?in=USN-360-1

Risk factor : Medium

CVSS Score:
5.0

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2006-3681
http://pridels0.blogspot.com/2006/04/awstats-65x-multiple-vuln.html
http://secunia.com/advisories/19725
http://secunia.com/advisories/22306
http://www.ubuntu.com/usn/usn-360-1
http://www.vupen.com/english/advisories/2006/1421
XForce ISS Database: awstats-multiple-xss(25879)
https://exchange.xforce.ibmcloud.com/vulnerabilities/25879
Common Vulnerability Exposure (CVE) ID: CVE-2006-3682
XForce ISS Database: awstats-multiple-path-disclosure(25880)
https://exchange.xforce.ibmcloud.com/vulnerabilities/25880

Copyright Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.57514
Category:	Ubuntu Local Security Checks
Title:	Ubuntu USN-360-1 (awstats)
Summary:	NOSUMMARY
Description:	Description: The remote host is missing an update to awstats announced via advisory USN-360-1. A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. awstats did not fully sanitize input, which was passed directly to the user's browser, allowing for an XSS attack. If a user was tricked into following a specially crafted awstats URL, the user's authentication information could be exposed for the domain where awstats was hosted. (CVE-2006-3681) awstats could display its installation path under certain conditions. However, this might only become a concern if awstats is installed into an user's home directory. (CVE-2006-3682) Solution: The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: awstats 6.3-1ubuntu0.4 Ubuntu 5.10: awstats 6.4-1ubuntu1.3 Ubuntu 6.06 LTS: awstats 6.5-1ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. http://www.securityspace.com/smysecure/catid.html?in=USN-360-1 Risk factor : Medium CVSS Score: 5.0
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2006-3681 http://pridels0.blogspot.com/2006/04/awstats-65x-multiple-vuln.html http://secunia.com/advisories/19725 http://secunia.com/advisories/22306 http://www.ubuntu.com/usn/usn-360-1 http://www.vupen.com/english/advisories/2006/1421 XForce ISS Database: awstats-multiple-xss(25879) https://exchange.xforce.ibmcloud.com/vulnerabilities/25879 Common Vulnerability Exposure (CVE) ID: CVE-2006-3682 XForce ISS Database: awstats-multiple-path-disclosure(25880) https://exchange.xforce.ibmcloud.com/vulnerabilities/25880
Copyright	Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com