Cross-site Scripting Flaw

Edit Page

Report

Scan day: 02 March 2014 UTC

Virus safety - good

http://lwn.net/2001/1108/a/webalizer.php3

Description: A security flaw involving unchecked HTML content. Recent versions have been patched and are no longer vulnerable. (October 24, 2001)

Subcat: https://morefunz.com/computers/software/internet/?page=49

Cross-site Scripting Flaw in webalizer : MASA <[email protected]> : BUGTRAQ Mailing List <[email protected]> : Cross-site Scripting Flaw in webalizer : Wed, 24 Oct 2001 11:18:14 -0200 (BRST) MASA:01-01:en - Cross-site Scripting Flaw in webalizer Overview The webalizer is a popular web server log file analysis tool which produces reports in HTML format. Some webalizer versions contains two flaws that may allow a malicious user to insert unquoted data into the generated reports. This may be used to run scripts in the security context of the viewed site, as explained in the [1]CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests CERT/CC advisory (aka "cross-site scripting bug"). Under certain conditions, these flaws may allow a malicious user to run commands remotely on the web server where the reports are stored. Detailed Description The list below summarizes the flaws that may be exploited by a malicious user to inject HTML tags into webalizer reports. Once injected, the malicious data will be processed as soon as a victim user visit the compromised report. Tags in host names The webalizer program blindly trust the data returned by the operating system resolver library, when doing reverse address resolution. A malicious user who has control over a DNS reverse address mapping zone can setup an address with PTR record pointing to a name containing HTML tags, and then access the web server where webalizer is run periodically. When the webalizer program is run on the log files, the address recorded on them will resolve to a name containing the HTML tags, which will be inserted unmodified into the generated HTML reports. Notice that the number of systems made vulnerable by this flaw may be small, as most modern resolver libraries refuse to return host names containing HTML meta-characters. Tags in search keywords The webalizer program has the ability of parsing the contents of HTTP referrer information stored in log files. The data collected is them compared to a li

Size: 2048 chars

Contact Information

Email: —

Phone&Fax: —

Address: —

Extended: —

WEBSITE Info

Page title:	Cross-site Scripting Flaw in webalizer
Keywords:
Description:
IP-address:	72.51.34.34

WHOIS Info

NS	Name Server: SB.LWN.NET Name Server: TEX.LWN.NET
WHOIS	Status: ok
Date	Creation Date: 22-may-1998 Expiration Date: 21-may-2022