diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-01-05 13:36:38 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-01-05 13:36:38 +0000 |
commit | 48618eb748ee1f5f69d7d36a8cf247f48b45a141 (patch) | |
tree | 4f080f2ffde07cc8ec6d2ddaf63c7e9d7811d0d7 /main/awstats/CVE-2017-1000501-1.patch | |
parent | 1f189f77e6f221b9cc0d610eba7e3148f4c99e47 (diff) | |
download | aports-48618eb748ee1f5f69d7d36a8cf247f48b45a141.tar.bz2 aports-48618eb748ee1f5f69d7d36a8cf247f48b45a141.tar.xz |
main/awstats: security fix (CVE-2017-1000501)
Fixes #8371
Diffstat (limited to 'main/awstats/CVE-2017-1000501-1.patch')
-rw-r--r-- | main/awstats/CVE-2017-1000501-1.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/main/awstats/CVE-2017-1000501-1.patch b/main/awstats/CVE-2017-1000501-1.patch new file mode 100644 index 0000000000..36b6aaa818 --- /dev/null +++ b/main/awstats/CVE-2017-1000501-1.patch @@ -0,0 +1,68 @@ +From cf219843a74c951bf5986f3a7fffa3dcf99c3899 Mon Sep 17 00:00:00 2001 +From: Laurent Destailleur <eldy@destailleur.fr> +Date: Sun, 17 Dec 2017 12:55:48 +0100 +Subject: [PATCH] FIX Security reported by cPanel Security Team (can execute + arbitraty code) + +--- + wwwroot/cgi-bin/awstats.pl | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl +index 091d6823..fca4900f 100755 +--- a/wwwroot/cgi-bin/awstats.pl ++++ b/wwwroot/cgi-bin/awstats.pl +@@ -1780,7 +1780,7 @@ sub Read_Config { + }else{if ($Debug){debug("Unable to open config file: $searchdir$SiteConfig", 2);}} + } + +- #CL - Added to open config if full path is passed to awstats ++ #CL - Added to open config if full path is passed to awstats + if ( !$FileConfig ) { + + my $SiteConfigBis = File::Spec->rel2abs($SiteConfig); +@@ -2205,7 +2205,10 @@ sub Parse_Config { + } + + # Plugins +- if ( $param =~ /^LoadPlugin/ ) { push @PluginsToLoad, $value; next; } ++ if ( $param =~ /^LoadPlugin/ ) { ++ $value =~ s/[^a-zA-Z0-9_\/\.\+:=\?\s%\-]//g; # Sanitize plugin name and string param because it is used later in an eval. ++ push @PluginsToLoad, $value; next; ++ } + + # Other parameter checks we need to put after MaxNbOfExtra and MinHitExtra + if ( $param =~ /^MaxNbOf(\w+)/ ) { $MaxNbOf{$1} = $value; next; } +@@ -3251,7 +3254,7 @@ sub Read_Plugins { + } + my $ret; # To get init return + my $initfunction = +- "\$ret=Init_$pluginname('$pluginparam')"; ++ "\$ret=Init_$pluginname('$pluginparam')"; # Note that pluginname and pluginparam were sanitized when reading cong file entry 'LoadPlugin' + my $initret = eval("$initfunction"); + if ( $initret && $initret eq 'xxx' ) { + $initret = +@@ -17140,7 +17143,10 @@ sub HTMLMainExtra{ + # No update but report by default when run from a browser + $UpdateStats = ( $QueryString =~ /update=1/i ? 1 : 0 ); + +- if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); } ++ if ( $QueryString =~ /config=([^&]+)/i ) { ++ $SiteConfig = &Sanitize("$1"); ++ $SiteConfig =~ s/\.\.//g; # Avoid directory transversal ++ } + if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; } + if ( $QueryString =~ /pluginmode=([^&]+)/i ) { + $PluginMode = &Sanitize( "$1", 1 ); +@@ -17227,7 +17233,10 @@ sub HTMLMainExtra{ + # Update with no report by default when run from command line + $UpdateStats = 1; + +- if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); } ++ if ( $QueryString =~ /config=([^&]+)/i ) { ++ $SiteConfig = &Sanitize("$1"); ++ $SiteConfig =~ s/\.\.//g; ++ } + if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; } + if ( $QueryString =~ /pluginmode=([^&]+)/i ) { + $PluginMode = &Sanitize( "$1", 1 ); |