From ab422ccdbd7c99b6207ea96be49c1294272a92a6 Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: May 22 2006 01:44:47 +0000 Subject: patch for CVE-2006-1945 --- diff --git a/awstats-6.5-CVE-2006-1945.patch b/awstats-6.5-CVE-2006-1945.patch new file mode 100644 index 0000000..b9e4cd7 --- /dev/null +++ b/awstats-6.5-CVE-2006-1945.patch @@ -0,0 +1,95 @@ +--- ./wwwroot/cgi-bin/awstats.pl.CVE-2006-1945 2005-11-24 21:11:19.000000000 +0100 ++++ ./wwwroot/cgi-bin/awstats.pl 2006-05-09 10:46:34.000000000 +0200 +@@ -4430,6 +4394,7 @@ + + #------------------------------------------------------------------------------ + # Function: Clean a string of HTML tags to avoid 'Cross Site Scripting attacks' ++# and clean | char. + # Parameters: stringtoclean + # Input: None + # Output: None +@@ -4439,6 +4404,7 @@ + my $stringtoclean=shift; + $stringtoclean =~ s//>/g; ++ $stringtoclean =~ s/|//g; + return $stringtoclean; + } + +@@ -5516,6 +5483,7 @@ + 'hostfilter','hostfilterex','urlfilter','urlfilterex','refererpagesfilter','refererpagesfilterex', + 'pluginmode','filterrawlog'); + ++# Parse input parameters and sanitize them for security reasons + $QueryString=''; + # AWStats use GATEWAY_INTERFACE to known if ran as CLI or CGI. AWSTATS_DEL_GATEWAY_INTERFACE can + # be set to force AWStats to be ran as CLI even from a web page. +@@ -5534,7 +5502,7 @@ + $QueryString =~ s/&/&/g; + } + +- $QueryString = CleanFromCSSA($QueryString); ++ $QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString)); + + # Security test + if ($QueryString =~ /LogFile=([^&]+)/i) { error("Logfile parameter can't be overwritten when AWStats is used from a CGI"); } +@@ -5542,26 +5510,26 @@ + # No update but report by default when run from a browser + $UpdateStats=($QueryString=~/update=1/i?1:0); + +- if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&DecodeEncodedString("$1"); } +- if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&DecodeEncodedString("$1"); } +- if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); } +- if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize(&DecodeEncodedString("$1")); } ++ if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&Sanitize("$1"); } ++ if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons="$1"; } ++ if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize("$1",1); } ++ if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize("$1"); } + # All filters +- if ($QueryString =~ /hostfilter=([^&]+)/i) { $FilterIn{'host'}=&DecodeEncodedString("$1"); } # Filter on host list can also be defined with hostfilter=filter +- if ($QueryString =~ /hostfilterex=([^&]+)/i) { $FilterEx{'host'}=&DecodeEncodedString("$1"); } # +- if ($QueryString =~ /urlfilter=([^&]+)/i) { $FilterIn{'url'}=&DecodeEncodedString("$1"); } # Filter on URL list can also be defined with urlfilter=filter +- if ($QueryString =~ /urlfilterex=([^&]+)/i) { $FilterEx{'url'}=&DecodeEncodedString("$1"); } # +- if ($QueryString =~ /refererpagesfilter=([^&]+)/i) { $FilterIn{'refererpages'}=&DecodeEncodedString("$1"); } # Filter on referer list can also be defined with refererpagesfilter=filter +- if ($QueryString =~ /refererpagesfilterex=([^&]+)/i) { $FilterEx{'refererpages'}=&DecodeEncodedString("$1"); } # ++ if ($QueryString =~ /hostfilter=([^&]+)/i) { $FilterIn{'host'}="$1"; } # Filter on host list can also be defined with hostfilter=filter ++ if ($QueryString =~ /hostfilterex=([^&]+)/i) { $FilterEx{'host'}="$1"; } # ++ if ($QueryString =~ /urlfilter=([^&]+)/i) { $FilterIn{'url'}="$1"; } # Filter on URL list can also be defined with urlfilter=filter ++ if ($QueryString =~ /urlfilterex=([^&]+)/i) { $FilterEx{'url'}="$1"; } # ++ if ($QueryString =~ /refererpagesfilter=([^&]+)/i) { $FilterIn{'refererpages'}="$1"; } # Filter on referer list can also be defined with refererpagesfilter=filter ++ if ($QueryString =~ /refererpagesfilterex=([^&]+)/i) { $FilterEx{'refererpages'}="$1"; } # + # All output +- if ($QueryString =~ /output=allhosts:([^&]+)/i) { $FilterIn{'host'}=&DecodeEncodedString("$1"); } # Filter on host list can be defined with output=allhosts:filter to reduce number of lines read and showed +- if ($QueryString =~ /output=lasthosts:([^&]+)/i) { $FilterIn{'host'}=&DecodeEncodedString("$1"); } # Filter on host list can be defined with output=lasthosts:filter to reduce number of lines read and showed +- if ($QueryString =~ /output=urldetail:([^&]+)/i) { $FilterIn{'url'}=&DecodeEncodedString("$1"); } # Filter on URL list can be defined with output=urldetail:filter to reduce number of lines read and showed +- if ($QueryString =~ /output=refererpages:([^&]+)/i) { $FilterIn{'refererpages'}=&DecodeEncodedString("$1"); } # Filter on referer list can be defined with output=refererpages:filter to reduce number of lines read and showed ++ if ($QueryString =~ /output=allhosts:([^&]+)/i) { $FilterIn{'host'}="$1"; } # Filter on host list can be defined with output=allhosts:filter to reduce number of lines read and showed ++ if ($QueryString =~ /output=lasthosts:([^&]+)/i) { $FilterIn{'host'}="$1"; } # Filter on host list can be defined with output=lasthosts:filter to reduce number of lines read and showed ++ if ($QueryString =~ /output=urldetail:([^&]+)/i) { $FilterIn{'url'}="$1"; } # Filter on URL list can be defined with output=urldetail:filter to reduce number of lines read and showed ++ if ($QueryString =~ /output=refererpages:([^&]+)/i) { $FilterIn{'refererpages'}="$1"; } # Filter on referer list can be defined with output=refererpages:filter to reduce number of lines read and showed + + # If migrate + if ($QueryString =~ /(^|-|&|&)migrate=([^&]+)/i) { +- $MigrateStats=&DecodeEncodedString("$2"); ++ $MigrateStats=&Sanitize("$2"); + $MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/; + $SiteConfig=$5?$5:'xxx'; $SiteConfig =~ s/^\.//; # SiteConfig is used to find config file + } +@@ -5591,7 +5559,7 @@ + # Update with no report by default when run from command line + $UpdateStats=1; + +- if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig="$1"; } ++ if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&Sanitize("$1"); } + if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons="$1"; } + if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize("$1",1); } + if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize("$1"); } +@@ -5625,8 +5593,6 @@ + if ($QueryString =~ /(^|&|&)databasebreak=(\w+)/i) { $DatabaseBreak=$2; } + if ($QueryString =~ /(^|&|&)updatefor=(\d+)/i) { $UpdateFor=$2; } + if ($QueryString =~ /(^|&|&)noloadplugin=([^&]+)/i) { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_",1)}=1; } } +-#Removed for security reasons +-#if ($QueryString =~ /(^|&|&)loadplugin=([^&]+)/i) { foreach (split(/,/,$2)) { $NoLoadPlugin{&Sanitize("$_",1)}=-1; } } + if ($QueryString =~ /(^|&|&)limitflush=(\d+)/i) { $LIMITFLUSH=$2; } + # Get/Define output + if ($QueryString =~ /(^|&|&)output(=[^&]*|)(.*)(&|&)output(=[^&]*|)(&|$)/i) { error("Only 1 output option is allowed","","",1); }