Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -7 articles for you...
100
security advisoryhigh severitycross-site scriptingUbuntu: 2021:075 High: Webalizer Cross-Site Scripting Risk
An exploitable bug was found in webalizer which allows a remote attacker to execute commands on other client machines or revealing sensitive information by placing HTML tags in the right place.. ______________________________________________________________________________ SuSE Security Announcement Package: webalizer Announcement-ID: SuSE-SA:2001:040 Date: Tuesday, Nov 06th, 2001 12.00 MET Affected SuSE versions: 7.1, 7.2, 7.3 Vulnerability Type: remote privilege escalation (cross-site scripting) Severity (1-10): 5 SuSE default package: no Other affected systems: all linux-like systems using this version of webalizer Content of this advisory: 1) security vulnerability resolved: webalizer problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The webalizer is a widely used tool for analyzing web server logs and produce statistics in HTML format. An exploitable bug was found in webalizer which allows a remote attacker to execute commands on other client machines or revealing sensitive information by placing HTML tags in the right place. This is possible due to missing sanity checks on untrusted data - hostnames and search keywords in this case - that are received by webalizer. This kind of attack is also known as "Cross-Site Scripting Vulnerability". Additionally the untrusted data will be written to files on the server running webalizer; this may lead to further problems when using this data as input for third-party software/scripts. There is no knowntemporary fix, so please update your system with the new RPMs from our FTP server. Download the update package from locations described below and install the package with the command: rpm -Uhv file.rpm The md5sum for each file is in the line below. You can verify the integrity of the rpm files using the command: rpm --checksig --nogpg file.rpm independently from the md5 signatures below. i386 Intel Platform: SuSE-7.3 3525fd6ab9c27be34edad9bef05ff061 source rpm: 898d975f34991a02f02da603b6bcd529 SuSE-7.2 593a7f033158f57bac47cf2fa9cb83bc source rpm: 70ceb86a0373070a06f6d39ec0bc4377 SuSE-7.1 74288622703dec120b18c0fbb5003917 source rpm: 213f7a394052dc193be05a882768054a Sparc Platform: SuSE-7.1 5aa3b7511d704415498fbec3bfc2ccd5 source rpm: 792efab485712286fc848234b1aa249d AXP Alpha Platform: SuSE-7.1 aa93070e8358b1cfd91b7fabffbfa985 source rpm: 2065dd78c3f8147a94f97994fb37e6ce PPC Power PC Platform: SuSE-7.3 cc28460b1d6fac8f87cc4658fae45d3e source rpm: 7d7cec18f488f97187338723b0151426 SuSE-7.1 3630f538b0445ee462b73475b488b146 source rpm: 4c998066d5eb545bb1551e246f2724c1 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - openssh After stabilizing the openssh package, updates for the distributions 6.4-7.2 are currently being prepared. The update packages fix a security problem related to the recently discovered problems with source ip based access restrictions in a user's ~/.ssh/authorized_keys2 file. The packages will appear shortly on our ftp servers. Please note that packages for the distributions 6.3 and up including 7.0 containing cryptographic software arelocated on the German ftp server ftp.suse.de, all other packages can be found on ftp.suse.com at the usual location. We will issue a dedicated Security announcement for the openssh package. - nvi Takeshi Uno found a format tag vulnerability in all versions of nvi. The bug will be fixed in future version of SuSE Linux. - Please watch out for more announcements that are currently in our queue. ______________________________________________________________________________ 3) standard appendix: SuSE runs two security mailing lists to which any interested party may subscribe:
Nov 06, 2001
•Important
SuSE
98
security advisorysecurity updateRed Hat PowertoolsRed Hat Powertools: RHSA-2001:141-05 Critical: Webalizer XSS Issue
Updated webalizer packages are available which fix a security problem andsome minor bugs.. ` --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated webalizer packages available Advisory ID: RHSA-2001:141-05 Issue date: 2001-10-24 Updated on: 2001-10-30 Product: Red Hat Powertools Keywords: webalizer cross-site scripting malicious html security update Cross references: Obsoletes: --------------------------------------------------------------------- 1. Topic: Updated webalizer packages are available which fix a security problem and some minor bugs. 2. Relevant releases/architectures: Red Hat Powertools 7.0 - alpha, i386 Red Hat Powertools 7.1 - alpha, i386 3. Problem description: A bug in versions of webalizer prior to 2.01_09 allowed users to embed malicious HTML tags in reports generated by webalizer. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed ( for more info): 6. RPMs required: Red Hat Powertools 7.0: SRPMS: alpha: i386: Red Hat Powertools 7.1: SRPMS: alpha: i386: 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- cc314c77a809e812f2006ad8a80846b6 7.0/en/powertools/SRPMS/webalizer-2.01_09-0.70.src.rpm ae4e02676eeba9f14b316fb24072d48e 7.0/en/powertools/alpha/webalizer-2.01_09-0.70.alpha.rpm e29636af79adc391a49907a68bb45228 7.0/en/powertools/i386/webalizer-2.01_09-0.70.i386.rpm eb327fff942041a315d5721725bc0f6a 7.1/en/powertools/SRPMS/webalizer-2.01_09-0.71.src.rpm 0721814e29303bfac6602433fae39ebb 7.1/en/powertools/alpha/webalizer-2.01_09-0.71.alpha.rpm 0d77b8f5ce3e1c04fa6c217204598232 7.1/en/powertools/i386/webalizer-2.01_09-0.71.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: About You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 8. References: Copyright(c) 2000, 2001 Red Hat, Inc. `. Recent updates for Webalizer tackle cross-domain scripting risks. Explore the specifics of the security improvements and the steps for applying them.. Webalizer Update, Critical Patch, Cross-Site Scripting, Red Hat Advisory. . Severity: Critical. LinuxSecurity.com Team
Oct 30, 2001
•Critical
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!