Title: Bradford Barrett Webalizer Cross-Agent Scripting Vulnerability
Severity: HIGH
Description:
Webalizer is a web server log file program, which generates web site statistic log files. Log files produced include referrer information, browser information, web site Hits, Files accessed etc. These log files are generated in HTML format, so administrators can view them in a web browser.
Webalizer Server does not protect against cross-agent scripting attacks.
A user could specify malicious HTML tags in the 'Referrer' field of a HTTP request, when visiting the website of a Webalizer host. Since Webalizer generates HTML log files (stored on the web server's file system), documenting the 'Referrer' information of all visiting users. If a Webalizer administrator requests the log file, the malicious content contained within the file could execute.
Depending on what actions the HTML tags are specified to do, arbitrary commands could be run on the web server. Potentially compromising the target host.
Affected Products:
- Bradford Barrett Webalizer 2.0.1 -06
- RedHat Linux 7.2.0 i386
- RedHat Linux 7.2.0 ia64
References:
- Bradford Barrett: Webalizer Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
