Adapted from:
http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.912
diff -ur awstats-6.7/wwwroot/cgi-bin/awstats.pl awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin/awstats.pl
--- awstats-6.7/wwwroot/cgi-bin/awstats.pl 2007-07-07 12:00:06.000000000 +0100
+++ awstats-6.7-CVE-2008-3714/wwwroot/cgi-bin/awstats.pl 2008-08-23 09:21:31.000000000 +0100
@@ -4380,6 +4380,7 @@
sub DecodeEncodedString {
my $stringtodecode=shift;
$stringtodecode =~ tr/\+/ /s;
+ $stringtodecode =~ s/%22//g;
$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
return $stringtodecode;
}
@@ -4432,9 +4433,12 @@
#------------------------------------------------------------------------------
sub CleanXSS {
my $stringtoclean=shift;
+ # To avoid html tags and javascript
$stringtoclean =~ s/</</g;
$stringtoclean =~ s/>/>/g;
$stringtoclean =~ s/|//g;
+ # To avoid onload="
+ $stringtoclean =~ s/onload//g;
return $stringtoclean;
}