CVE-2002-2330 in Statsplus
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in stat.pl in StatsPlus 1.25 allows remote attackers to inject arbitrary web script or HTML via (1) HTTP_USER_AGENT or (2) HTTP_REFERER, which is written to stats.html and executed in client browsers.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/28/2025
This cross-site scripting vulnerability exists in the StatsPlus 1.25 web statistics tool where the stat.pl script fails to properly sanitize user input before storing and displaying it in the generated stats.html file. The flaw specifically affects two HTTP headers - USER_AGENT and REFERER - which are commonly used by web servers to track client information and navigation history. When these headers contain malicious script code, the stat.pl script processes them without adequate validation or encoding, allowing the malicious content to be written directly into the output HTML file that gets served to users.
The technical implementation of this vulnerability stems from the application's lack of input sanitization and output encoding practices. When a user agent or referer header contains script tags or other malicious content, the script processes these values and writes them verbatim to the stats.html file without proper HTML escaping or validation. This creates a classic stored XSS scenario where the malicious payload persists in the server-side file and executes whenever legitimate users view the statistics page. The vulnerability is particularly dangerous because these HTTP headers are automatically populated by web browsers and servers, making it difficult for administrators to predict or prevent the injection of malicious code.
The operational impact of this vulnerability extends beyond simple script execution as it allows attackers to perform various malicious activities including session hijacking, credential theft, defacement of the statistics page, and redirection to malicious sites. An attacker could craft a malicious user agent string that, when processed by the vulnerable application, would execute a script that steals cookies from authenticated users or redirects them to phishing pages. The persistence of the vulnerability in the stats.html file means that the malicious code would continue to execute for all users who access the page until the file is manually cleaned or the application is patched. This makes the vulnerability particularly dangerous in environments where the statistics page is frequently accessed by multiple users.
Mitigation strategies should focus on implementing proper input validation and output encoding techniques. The application should sanitize all HTTP headers before processing them, implementing strict whitelisting of acceptable characters and removing or encoding potentially dangerous sequences such as script tags, javascript protocols, and other malicious payloads. Organizations should also consider implementing Content Security Policy headers to limit the execution of inline scripts and other security measures that prevent XSS exploitation. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a typical example of how insecure input handling can lead to persistent client-side attacks. From an ATT&CK perspective, this vulnerability maps to T1566.001 (Phishing via Social Media) and T1059.007 (Command and Scripting Interpreter: JavaScript) as it enables attackers to deliver malicious JavaScript payloads to victim browsers through web application vulnerabilities.