Hi, Hendrik, the problem is that the patch decodes %%2222 to %22 and then back to ".
I will upload Florians patch in an NMU. debdiff attached. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u awstats-6.7.dfsg/debian/changelog awstats-6.7.dfsg/debian/changelog
--- awstats-6.7.dfsg/debian/changelog
+++ awstats-6.7.dfsg/debian/changelog
@@ -1,3 +1,11 @@
+awstats (6.7.dfsg-5.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Strip '"' characters during URL decoding, fixing a cross-site
+ scripting attack (CVE-2008-3714; CVE-2008-5080; Closes: #495432).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Wed, 10 Dec 2008 13:05:43 +0100
+
awstats (6.7.dfsg-5) unstable; urgency=low
* Add debian/patches/0001_awstats69beta_xss.patch,
diff -u awstats-6.7.dfsg/debian/patches/series awstats-6.7.dfsg/debian/patches/series
--- awstats-6.7.dfsg/debian/patches/series
+++ awstats-6.7.dfsg/debian/patches/series
@@ -5,0 +6 @@
+1006_CVE-2008-3714_5080.patch
only in patch2:
unchanged:
--- awstats-6.7.dfsg.orig/debian/patches/1006_CVE-2008-3714_5080.patch
+++ awstats-6.7.dfsg/debian/patches/1006_CVE-2008-3714_5080.patch
@@ -0,0 +1,10 @@
+--- awstats-6.5+dfsg.orig/wwwroot/cgi-bin/awstats.pl
++++ awstats-6.5+dfsg/wwwroot/cgi-bin/awstats.pl
+@@ -4395,6 +4395,7 @@
+ my $stringtodecode=shift;
+ $stringtodecode =~ tr/\+/ /s;
+ $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
++ $stringtodecode =~ s/["']//g;
+ return $stringtodecode;
+ }
+
pgpb65ECCXFXC.pgp
Description: PGP signature
