awstats / CVE-2017-1000501 / #885835

Sun, 07 Jan 2018 23:29:55 -0800 

Here is my proposed patch against the wheezy version. The upstream
patches applied with no problem except for a single hunk that makes a
single white space change. I deleted this hunk.

I also built a version, which is available for testing:
https://people.debian.org/~bam/debian/pool/main/a/awstats/


diff -Nru awstats-7.0~dfsg/debian/changelog awstats-7.0~dfsg/debian/changelog
--- awstats-7.0~dfsg/debian/changelog   2012-06-14 04:07:00.000000000 +1000
+++ awstats-7.0~dfsg/debian/changelog   2018-01-08 18:01:59.000000000 +1100
@@ -1,3 +1,11 @@
+awstats (7.0~dfsg-7+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * Fix CVE-2017-1000501: Untrusted parameters were not sanitised, allowing
+    unauthenticated remote code execution. Closes: #885835.
+
+ -- Brian May <b...@debian.org>  Mon, 08 Jan 2018 18:01:59 +1100
+
 awstats (7.0~dfsg-7) unstable; urgency=low
 
   * Document -configdir option in README.Debian (Closes: #280067)
diff -Nru awstats-7.0~dfsg/debian/patches/CVE-2017-1000501.patch 
awstats-7.0~dfsg/debian/patches/CVE-2017-1000501.patch
--- awstats-7.0~dfsg/debian/patches/CVE-2017-1000501.patch      1970-01-01 
10:00:00.000000000 +1000
+++ awstats-7.0~dfsg/debian/patches/CVE-2017-1000501.patch      2018-01-08 
18:00:19.000000000 +1100
@@ -0,0 +1,82 @@
+--- a/wwwroot/cgi-bin/awstats.pl
++++ b/wwwroot/cgi-bin/awstats.pl
+@@ -2115,7 +2115,10 @@
+               }
+ 
+               # Plugins
+-              if ( $param =~ /^LoadPlugin/ ) { push @PluginsToLoad, $value; 
next; }
++              if ( $param =~ /^LoadPlugin/ ) {
++                      $value =~ s/[^a-zA-Z0-9_\/\.\+:=\?\s%\-]//g;            
# Sanitize plugin name and string param because it is used later in an eval.
++                      push @PluginsToLoad, $value; next; 
++              }
+ 
+         # Other parameter checks we need to put after MaxNbOfExtra and 
MinHitExtra
+               if ( $param =~ /^MaxNbOf(\w+)/ ) { $MaxNbOf{$1} = $value; next; 
}
+@@ -3154,7 +3157,7 @@
+                                               }
+                                               my $ret;    # To get init return
+                                               my $initfunction =
+-                                                
"\$ret=Init_$pluginname('$pluginparam')";
++                                                
"\$ret=Init_$pluginname('$pluginparam')";             # Note that pluginname 
and pluginparam were sanitized when reading cong file entry 'LoadPlugin'
+                                               my $initret = 
eval("$initfunction");
+                                               if ( $initret && $initret eq 
'xxx' ) {
+                                                       $initret =
+@@ -16547,7 +16550,9 @@
+       # No update but report by default when run from a browser
+       $UpdateStats = ( $QueryString =~ /update=1/i ? 1 : 0 );
+ 
+-      if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = 
&Sanitize("$1"); }
++      if ( $QueryString =~ /config=([^&]+)/i ) { 
++              $SiteConfig = &Sanitize("$1");
++      }
+       if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
+       if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
+               $PluginMode = &Sanitize( "$1", 1 );
+@@ -16592,10 +16597,13 @@
+       # If migrate
+       if ( $QueryString =~ /(^|-|&|&amp;)migrate=([^&]+)/i ) {
+               $MigrateStats = &Sanitize("$2");
++
+               $MigrateStats =~ 
/^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
+-              $SiteConfig = $5 ? $5 : 'xxx';
++              $SiteConfig = &Sanitize($5 ? $5 : 'xxx');
+               $SiteConfig =~ s/^\.//;    # SiteConfig is used to find config 
file
+       }
++
++      $SiteConfig =~ s/\.\.//g;               # Avoid directory transversal
+ }
+ else {                             # Run from command line
+       $DebugMessages = 1;
+@@ -16605,9 +16613,10 @@
+ 
+               # If migrate
+               if ( $ARGV[$_] =~ /(^|-|&|&amp;)migrate=([^&]+)/i ) {
+-                      $MigrateStats = "$2";
++                      $MigrateStats = &Sanitize("$2");
++
+                       $MigrateStats =~ 
/^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
+-                      $SiteConfig = $5 ? $5 : 'xxx';
++                      $SiteConfig = &Sanitize($5 ? $5 : 'xxx');
+                       $SiteConfig =~ s/^\.//;    # SiteConfig is used to find 
config file
+                       next;
+               }
+@@ -16634,7 +16643,9 @@
+       # Update with no report by default when run from command line
+       $UpdateStats = 1;
+ 
+-      if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = 
&Sanitize("$1"); }
++      if ( $QueryString =~ /config=([^&]+)/i ) { 
++              $SiteConfig = &Sanitize("$1"); 
++      }
+       if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
+       if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
+               $PluginMode = &Sanitize( "$1", 1 );
+@@ -16699,6 +16710,8 @@
+               $ShowDirectOrigin = 1;
+               $QueryString =~ s/showdirectorigin[^&]*//i;
+       }
++      
++      $SiteConfig =~ s/\.\.//g; 
+ }
+ if ( $QueryString =~ /(^|&|&amp;)staticlinks/i ) {
+       $StaticLinks = "$PROG.$SiteConfig";
diff -Nru awstats-7.0~dfsg/debian/patches/series 
awstats-7.0~dfsg/debian/patches/series
--- awstats-7.0~dfsg/debian/patches/series      2012-06-14 04:07:00.000000000 
+1000
+++ awstats-7.0~dfsg/debian/patches/series      2018-01-08 17:59:24.000000000 
+1100
@@ -15,3 +15,4 @@
 1020_LogFile_usage_docs.patch
 2001_awstatsprog_path.patch
 2002_nboflastupdatelookuptosave.patch
+CVE-2017-1000501.patch


-- 
Brian May <b...@debian.org>

Reply via email to