diff --git a/FIX-Security-reported-by-cPanel-Security-Team-can-ex.patch b/FIX-Security-reported-by-cPanel-Security-Team-can-ex.patch new file mode 100644 index 0000000..1233b64 --- /dev/null +++ b/FIX-Security-reported-by-cPanel-Security-Team-can-ex.patch @@ -0,0 +1,71 @@ +From cf219843a74c951bf5986f3a7fffa3dcf99c3899 Mon Sep 17 00:00:00 2001 +From: Laurent Destailleur +Date: Sun, 17 Dec 2017 12:55:48 +0100 +Subject: [PATCH] FIX Security reported by cPanel Security Team (can execute + arbitraty code) + +--- + wwwroot/cgi-bin/awstats.pl | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl +index 091d6823..fca4900f 100755 +--- a/wwwroot/cgi-bin/awstats.pl ++++ b/wwwroot/cgi-bin/awstats.pl +@@ -1780,7 +1780,7 @@ sub Read_Config { + }else{if ($Debug){debug("Unable to open config file: $searchdir$SiteConfig", 2);}} + } + +- #CL - Added to open config if full path is passed to awstats ++ #CL - Added to open config if full path is passed to awstats + if ( !$FileConfig ) { + + my $SiteConfigBis = File::Spec->rel2abs($SiteConfig); +@@ -2205,7 +2205,10 @@ sub Parse_Config { + } + + # Plugins +- if ( $param =~ /^LoadPlugin/ ) { push @PluginsToLoad, $value; next; } ++ if ( $param =~ /^LoadPlugin/ ) { ++ $value =~ s/[^a-zA-Z0-9_\/\.\+:=\?\s%\-]//g; # Sanitize plugin name and string param because it is used later in an eval. ++ push @PluginsToLoad, $value; next; ++ } + + # Other parameter checks we need to put after MaxNbOfExtra and MinHitExtra + if ( $param =~ /^MaxNbOf(\w+)/ ) { $MaxNbOf{$1} = $value; next; } +@@ -3251,7 +3254,7 @@ sub Read_Plugins { + } + my $ret; # To get init return + my $initfunction = +- "\$ret=Init_$pluginname('$pluginparam')"; ++ "\$ret=Init_$pluginname('$pluginparam')"; # Note that pluginname and pluginparam were sanitized when reading cong file entry 'LoadPlugin' + my $initret = eval("$initfunction"); + if ( $initret && $initret eq 'xxx' ) { + $initret = +@@ -17140,7 +17143,10 @@ if ( $ENV{'GATEWAY_INTERFACE'} ) { # Run from a browser as CGI + # No update but report by default when run from a browser + $UpdateStats = ( $QueryString =~ /update=1/i ? 1 : 0 ); + +- if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); } ++ if ( $QueryString =~ /config=([^&]+)/i ) { ++ $SiteConfig = &Sanitize("$1"); ++ $SiteConfig =~ s/\.\.//g; # Avoid directory transversal ++ } + if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; } + if ( $QueryString =~ /pluginmode=([^&]+)/i ) { + $PluginMode = &Sanitize( "$1", 1 ); +@@ -17227,7 +17233,10 @@ else { # Run from command line + # Update with no report by default when run from command line + $UpdateStats = 1; + +- if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); } ++ if ( $QueryString =~ /config=([^&]+)/i ) { ++ $SiteConfig = &Sanitize("$1"); ++ $SiteConfig =~ s/\.\.//g; ++ } + if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; } + if ( $QueryString =~ /pluginmode=([^&]+)/i ) { + $PluginMode = &Sanitize( "$1", 1 ); +-- +2.15.1 + diff --git a/Fix-another-vulnerability-reported-by-cPanel-Securit.patch b/Fix-another-vulnerability-reported-by-cPanel-Securit.patch new file mode 100644 index 0000000..3a3e588 --- /dev/null +++ b/Fix-another-vulnerability-reported-by-cPanel-Securit.patch @@ -0,0 +1,70 @@ +From 06c0ab29c1e5059d9e0279c6b64d573d619e1651 Mon Sep 17 00:00:00 2001 +From: Laurent Destailleur +Date: Wed, 27 Dec 2017 13:39:57 +0100 +Subject: [PATCH] Fix another vulnerability reported by cPanel Security Team + (can execute arbitraty code) + +--- + wwwroot/cgi-bin/awstats.pl | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl +index fca4900f..4f14c6ee 100755 +--- a/wwwroot/cgi-bin/awstats.pl ++++ b/wwwroot/cgi-bin/awstats.pl +@@ -17145,7 +17145,6 @@ if ( $ENV{'GATEWAY_INTERFACE'} ) { # Run from a browser as CGI + + if ( $QueryString =~ /config=([^&]+)/i ) { + $SiteConfig = &Sanitize("$1"); +- $SiteConfig =~ s/\.\.//g; # Avoid directory transversal + } + if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; } + if ( $QueryString =~ /pluginmode=([^&]+)/i ) { +@@ -17191,10 +17190,13 @@ if ( $ENV{'GATEWAY_INTERFACE'} ) { # Run from a browser as CGI + # If migrate + if ( $QueryString =~ /(^|-|&|&)migrate=([^&]+)/i ) { + $MigrateStats = &Sanitize("$2"); ++ + $MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/; +- $SiteConfig = $5 ? $5 : 'xxx'; ++ $SiteConfig = &Sanitize($5 ? $5 : 'xxx'); + $SiteConfig =~ s/^\.//; # SiteConfig is used to find config file + } ++ ++ $SiteConfig =~ s/\.\.//g; # Avoid directory transversal + } + else { # Run from command line + $DebugMessages = 1; +@@ -17204,9 +17206,10 @@ else { # Run from command line + + # If migrate + if ( $ARGV[$_] =~ /(^|-|&|&)migrate=([^&]+)/i ) { +- $MigrateStats = "$2"; ++ $MigrateStats = &Sanitize("$2"); ++ + $MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/; +- $SiteConfig = $5 ? $5 : 'xxx'; ++ $SiteConfig = &Sanitize($5 ? $5 : 'xxx'); + $SiteConfig =~ s/^\.//; # SiteConfig is used to find config file + next; + } +@@ -17235,7 +17238,6 @@ else { # Run from command line + + if ( $QueryString =~ /config=([^&]+)/i ) { + $SiteConfig = &Sanitize("$1"); +- $SiteConfig =~ s/\.\.//g; + } + if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; } + if ( $QueryString =~ /pluginmode=([^&]+)/i ) { +@@ -17301,6 +17303,8 @@ else { # Run from command line + $ShowDirectOrigin = 1; + $QueryString =~ s/showdirectorigin[^&]*//i; + } ++ ++ $SiteConfig =~ s/\.\.//g; + } + if ( $QueryString =~ /(^|&|&)staticlinks/i ) { + $StaticLinks = "$PROG.$SiteConfig"; +-- +2.15.1 + diff --git a/awstats.spec b/awstats.spec index 24a15c8..e54c670 100644 --- a/awstats.spec +++ b/awstats.spec @@ -15,6 +15,8 @@ Patch1: awstats-7.0-httpd-2.4.patch %endif Patch2: awstats-awstats_path.patch +Patch3: FIX-Security-reported-by-cPanel-Security-Team-can-ex.patch +Patch4: Fix-another-vulnerability-reported-by-cPanel-Securit.patch # distribution specific definitions %define use_systemd (0%{?fedora} || 0%{?rhel} >= 7) @@ -68,6 +70,8 @@ http://localhost/awstats/awstats.pl %patch1 -p 1 %endif %patch2 -p 1 +%patch3 -p 1 +%patch4 -p 1 # Fix style sheets. perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*