main/awstats: security fix (CVE-2017-1000501)

Fixes #8371

1 files changed, 68 insertions, 0 deletions

diff --git a/main/awstats/CVE-2017-1000501-1.patch b/main/awstats/CVE-2017-1000501-1.patch
new file mode 100644
index 0000000000..36b6aaa818
--- /dev/null
+++ b/main/awstats/CVE-2017-1000501-1.patch
@@ -0,0 +1,68 @@
+From cf219843a74c951bf5986f3a7fffa3dcf99c3899 Mon Sep 17 00:00:00 2001
+From: Laurent Destailleur <eldy@destailleur.fr>
+Date: Sun, 17 Dec 2017 12:55:48 +0100
+Subject: [PATCH] FIX Security reported by cPanel Security Team (can execute
+ arbitraty code)
+
+---
+ wwwroot/cgi-bin/awstats.pl | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
+index 091d6823..fca4900f 100755
+--- a/wwwroot/cgi-bin/awstats.pl
++++ b/wwwroot/cgi-bin/awstats.pl
+@@ -1780,7 +1780,7 @@ sub Read_Config {
+ 		}else{if ($Debug){debug("Unable to open config file: $searchdir$SiteConfig", 2);}}
+ 	}
+ 	
+-		#CL - Added to open config if full path is passed to awstats 
++	#CL - Added to open config if full path is passed to awstats 
+ 	if ( !$FileConfig ) {
+ 		
+ 		my $SiteConfigBis = File::Spec->rel2abs($SiteConfig);
+@@ -2205,7 +2205,10 @@ sub Parse_Config {
+ 		}
+ 
+ 		# Plugins
+-		if ( $param =~ /^LoadPlugin/ ) { push @PluginsToLoad, $value; next; }
++		if ( $param =~ /^LoadPlugin/ ) {
++			$value =~ s/[^a-zA-Z0-9_\/\.\+:=\?\s%\-]//g;		# Sanitize plugin name and string param because it is used later in an eval.
++			push @PluginsToLoad, $value; next; 
++		}
+ 
+ 	  # Other parameter checks we need to put after MaxNbOfExtra and MinHitExtra
+ 		if ( $param =~ /^MaxNbOf(\w+)/ ) { $MaxNbOf{$1} = $value; next; }
+@@ -3251,7 +3254,7 @@ sub Read_Plugins {
+ 						}
+ 						my $ret;    # To get init return
+ 						my $initfunction =
+-						  "\$ret=Init_$pluginname('$pluginparam')";
++						  "\$ret=Init_$pluginname('$pluginparam')";		# Note that pluginname and pluginparam were sanitized when reading cong file entry 'LoadPlugin'
+ 						my $initret = eval("$initfunction");
+ 						if ( $initret && $initret eq 'xxx' ) {
+ 							$initret =
+@@ -17140,7 +17143,10 @@ sub HTMLMainExtra{
+ 	# No update but report by default when run from a browser
+ 	$UpdateStats = ( $QueryString =~ /update=1/i ? 1 : 0 );
+ 
+-	if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); }
++	if ( $QueryString =~ /config=([^&]+)/i ) { 
++		$SiteConfig = &Sanitize("$1");
++		$SiteConfig =~ s/\.\.//g; 		# Avoid directory transversal
++	}
+ 	if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
+ 	if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
+ 		$PluginMode = &Sanitize( "$1", 1 );
+@@ -17227,7 +17233,10 @@ sub HTMLMainExtra{
+ 	# Update with no report by default when run from command line
+ 	$UpdateStats = 1;
+ 
+-	if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); }
++	if ( $QueryString =~ /config=([^&]+)/i ) { 
++		$SiteConfig = &Sanitize("$1"); 
++		$SiteConfig =~ s/\.\.//g; 
++	}
+ 	if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
+ 	if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
+ 		$PluginMode = &Sanitize( "$1", 1 );