1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
From cf219843a74c951bf5986f3a7fffa3dcf99c3899 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 17 Dec 2017 12:55:48 +0100
Subject: [PATCH] FIX Security reported by cPanel Security Team (can execute
arbitraty code)
---
wwwroot/cgi-bin/awstats.pl | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
index 091d6823..fca4900f 100755
--- a/wwwroot/cgi-bin/awstats.pl
+++ b/wwwroot/cgi-bin/awstats.pl
@@ -1780,7 +1780,7 @@ sub Read_Config {
}else{if ($Debug){debug("Unable to open config file: $searchdir$SiteConfig", 2);}}
}
- #CL - Added to open config if full path is passed to awstats
+ #CL - Added to open config if full path is passed to awstats
if ( !$FileConfig ) {
my $SiteConfigBis = File::Spec->rel2abs($SiteConfig);
@@ -2205,7 +2205,10 @@ sub Parse_Config {
}
# Plugins
- if ( $param =~ /^LoadPlugin/ ) { push @PluginsToLoad, $value; next; }
+ if ( $param =~ /^LoadPlugin/ ) {
+ $value =~ s/[^a-zA-Z0-9_\/\.\+:=\?\s%\-]//g; # Sanitize plugin name and string param because it is used later in an eval.
+ push @PluginsToLoad, $value; next;
+ }
# Other parameter checks we need to put after MaxNbOfExtra and MinHitExtra
if ( $param =~ /^MaxNbOf(\w+)/ ) { $MaxNbOf{$1} = $value; next; }
@@ -3251,7 +3254,7 @@ sub Read_Plugins {
}
my $ret; # To get init return
my $initfunction =
- "\$ret=Init_$pluginname('$pluginparam')";
+ "\$ret=Init_$pluginname('$pluginparam')"; # Note that pluginname and pluginparam were sanitized when reading cong file entry 'LoadPlugin'
my $initret = eval("$initfunction");
if ( $initret && $initret eq 'xxx' ) {
$initret =
@@ -17140,7 +17143,10 @@ sub HTMLMainExtra{
# No update but report by default when run from a browser
$UpdateStats = ( $QueryString =~ /update=1/i ? 1 : 0 );
- if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); }
+ if ( $QueryString =~ /config=([^&]+)/i ) {
+ $SiteConfig = &Sanitize("$1");
+ $SiteConfig =~ s/\.\.//g; # Avoid directory transversal
+ }
if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
$PluginMode = &Sanitize( "$1", 1 );
@@ -17227,7 +17233,10 @@ sub HTMLMainExtra{
# Update with no report by default when run from command line
$UpdateStats = 1;
- if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); }
+ if ( $QueryString =~ /config=([^&]+)/i ) {
+ $SiteConfig = &Sanitize("$1");
+ $SiteConfig =~ s/\.\.//g;
+ }
if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
$PluginMode = &Sanitize( "$1", 1 );
|