Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter

Fri, 05 May 2006 15:26:57 -0700 

> Exploit #1: 
> http://www.example.com/cgi-bin/awstats.pl?diricons=%22%3E0wned!%3Cspan%20%22

I see. Thank you for taking the time to put these examples together for
us. :-)

I've prepared an updated patch that should take care of both bug #364443
and #365909.

Any final comments on anything I'm missing before moving forward with
this patch?

thanks,
Charles

-- 
As you journey
Down the years
Your mirror is
The glass that cheers
If you use
Burma-Shave
http://burma-shave.org/jingles/1936/as_you_journey

Index: awstats-6.5/wwwroot/cgi-bin/awstats.pl
===================================================================
--- awstats-6.5.orig/wwwroot/cgi-bin/awstats.pl 2005-11-24 15:11:19.000000000 
-0500
+++ awstats-6.5/wwwroot/cgi-bin/awstats.pl      2006-05-05 16:43:12.000000000 
-0400
@@ -5542,8 +5542,8 @@
        # No update but report by default when run from a browser
        $UpdateStats=($QueryString=~/update=1/i?1:0);
 
-       if ($QueryString =~ /config=([^&]+)/i)                          { 
$SiteConfig=&DecodeEncodedString("$1"); }
-       if ($QueryString =~ /diricons=([^&]+)/i)                        { 
$DirIcons=&DecodeEncodedString("$1"); }
+       if ($QueryString =~ /config=([^&]+)/i)                          { 
$SiteConfig=&Sanitize(&DecodeEncodedString("$1")); }
+       if ($QueryString =~ /diricons=([^&]+)/i)                        { 
$DirIcons=&Sanitize(&DecodeEncodedString("$1")); }
        if ($QueryString =~ /pluginmode=([^&]+)/i)                      { 
$PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
        if ($QueryString =~ /configdir=([^&]+)/i)                       { 
$DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
        # All filters
@@ -5561,7 +5561,7 @@
 
        # If migrate
        if ($QueryString =~ /(^|-|&|&)migrate=([^&]+)/i)    {
-               $MigrateStats=&DecodeEncodedString("$2"); 
+               $MigrateStats=&Sanitize(&DecodeEncodedString("$2"));
                $MigrateStats =~ 
/^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
                $SiteConfig=$5?$5:'xxx'; $SiteConfig =~ s/^\.//;                
# SiteConfig is used to find config file
        }
@@ -5591,8 +5591,8 @@
        # Update with no report by default when run from command line
        $UpdateStats=1;
 
-       if ($QueryString =~ /config=([^&]+)/i)                          { 
$SiteConfig="$1"; }
-       if ($QueryString =~ /diricons=([^&]+)/i)                        { 
$DirIcons="$1"; }
+       if ($QueryString =~ /config=([^&]+)/i)                          { 
$SiteConfig=&Sanitize("$1"); }
+       if ($QueryString =~ /diricons=([^&]+)/i)                        { 
$DirIcons=&Sanitize("$1"); }
        if ($QueryString =~ /pluginmode=([^&]+)/i)                      { 
$PluginMode=&Sanitize("$1",1); }
        if ($QueryString =~ /configdir=([^&]+)/i)                       { 
$DirConfig=&Sanitize("$1"); }
        # All filters

Attachment: signature.asc
Description: Digital signature

Reply via email to