发布时间 :2001-12-06 00:00:00
修订时间 :2017-12-18 21:29:27

[原文]Cross-site scripting vulnerability in Webalizer 2.01-06, and possibly other versions, allows remote attackers to inject arbitrary HTML tags by specifying them in (1) search keywords embedded in HTTP referrer information, or (2) host names that are retrieved via a reverse DNS lookup.

[CNNVD]Bradford Barrett Webalizer 跨站脚本执行漏洞(CNNVD-200112-019)

        CVE(CAN) ID: CAN-2001-0835
        Webalizer 是一款Web服务器日志程序,用来生成Web站点统计日志文件。日志一般包括

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20011024 Cross-site Scripting Flaw in webalizer
(UNKNOWN)  ENGARDE  ESA-20011101-01
(UNKNOWN)  XF  webalizer-html-tag-host(7350)
(UNKNOWN)  XF  webalizer-html-tags-keywords(7351)

- 漏洞信息

Bradford Barrett Webalizer 跨站脚本执行漏洞
高危 输入验证
2001-12-06 00:00:00 2005-10-20 00:00:00
        CVE(CAN) ID: CAN-2001-0835
        Webalizer 是一款Web服务器日志程序,用来生成Web站点统计日志文件。日志一般包括

- 公告与补丁

        * 使用文本浏览器查看日志
        Bradford Barrett Webalizer 2.0.1-06:

- 漏洞信息

Webalizer HTTP Referrer Embeded Search Keywords XSS
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Webalizer contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate HTTP referrers upon submission to the Webalizer application. This could allow a user to create a specially crafted URL that would execute arbitrary code on the user's system potentially allowing access to the HTML reports, leading to a loss of integrity.

- 时间线

2001-10-24 Unknow
2001-10-24 Unknow

- 解决方案

Upgrade to version 2.01-09 or higher, as it has been reported to fix this vulnerability. In addition, the vendor has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Bradford Barrett Webalizer Cross-Agent Scripting Vulnerability
Input Validation Error 3473
Yes No
2001-10-24 12:00:00 2009-07-11 09:06:00
Discovered and posted to Bugtraq by MASA <> on October 24, 2001.

- 受影响的程序版本

Bradford Barrett Webalizer 2.0.1 -06
- Apple Mac OS X 10.0
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
- SGI IRIX 4.0
- Sun Solaris 7.0

- 漏洞讨论

Webalizer is a web server log file program, which generates web site statistic log files. Log files produced include referrer information, browser information, web site Hits, Files accessed etc. These log files are generated in HTML format, so administrators can view them in a web browser.

Webalizer Server does not protect against cross-agent scripting attacks.

A user could specify malicious HTML tags in the 'Referrer' field of a HTTP request, when visiting the website of a Webalizer host.

If a Webalizer administrator requests the log file, the malicious content contained within the file could execute.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: &lt;;.

- 解决方案

A patch has been released which rectifies this issue:

Bradford Barrett Webalizer 2.0.1 -06

- 相关参考