Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » W3Perl Web Statistics Header Manipulation Vulnerability

W3Perl Web Statistics Header Manipulation Vulnerability

by Nikola Strahija on January 25th, 2002 Attackers can exploit W3Perl Web Statistics by crafting a HTTP header which contains malicious script code, resulting in a cross-site scripting attack. This issue may also be exploited to falsify log entries.


W3Perl is freely available, open-source web statistics software. W3Perl generates statistics for website usage based on log files and outputs them to HTML. Users can select various levels of detail. W3Perl will run on most Linux and Unix variants as well as Microsoft Windows NT/2000 operating systems.

W3Perl does not sufficiently sanitize the data it processes from log files. As a result, it may be possible for an attacker to inject maliciously constructed data which will end up being displayed on the website running W3Perl.

Attackers can exploit W3Perl Web Statistics by crafting a HTTP header which contains malicious script code, resulting in a cross-site scripting attack. This issue may also be exploited to falsify log entries.

HTTP header manipulation attacks against the web statistics software may allow the attacker to hijack sessions by stealing cookie-based authentication credentials from users.

EXPLOIT:

This issue may be exploited using a utility such as telnet to craft a raw HTTP header.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »