From $URL: "Multiple flaws were reported [1],[2] in current versions of AWStats' awredir.pl script: URL redirection abuse: http://site/awredir.pl?key=0f3830803a70cc1636af3548b66ed978&url=http://websecurity.com.ua SQL injection flaw (only if $TRACEBASE is enabled and DBI is included): http://site/awredir.pl?key=f38ed1cdb04c8bda5386f7755a4e1d3e&url='%20and%20benchmark(10000,md5(now()))/* XSS flaws: http://site/awredir.pl?url=%3Cscript%3Ealert(document.cookie)%3C/script%3E http://site/awredir.pl?key=%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP Response Splitting flaw: http://site/awredir.pl?key=04ed5362e853c72ca275818a7c0c5857&url=%0AHeader:1 CRLF Injection flaw (injection in logs is possible if $DEBUG and/or $TRACEFILE are enabled): http://site/awredir.pl?key=4b9faa91e2529400c4f3c70833b4e4a5&url=%0AText Out of the above flaws, I believe that only the XSS flaws are feasible to abuse, as an attacker would need to know the value of $KEYFORMD5, which is defined in awredir.pl (the key generated is a md5_hash() of the $KEYFORMD5 and the URL to redirect to, although $KEYFORMD5 can be left blank (although there are notes in the script itself about a blank value being a security risk)). Upstream does not yet have a fix available or in CVS [3]. [1] http://seclists.org/fulldisclosure/2011/Sep/234 [2] http://websecurity.com.ua/5380/ [3] http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/ "
Okay so we wait... we might wait forever honestly...
7.1-r1 is in tree and solves all of this.
Arches, please test and mark stable: =www-misc/awstats-7.1 Target KEYWORDS="amd64 hppa ppc x86"
@Flameeyes chmod is called in src_install, please use fperms Installed correctly on amd64, I don't have a chance to test it on a webserver.
Thanks, that code has been there for the longest I remember.
Actually no it cannot use fperms there because it uses glob expansion.
(In reply to comment #6) > Actually no it cannot use fperms there because it uses glob expansion. Ok, no problem (In reply to comment #3) > Arches, please test and mark stable: > > =www-misc/awstats-7.1 > Target KEYWORDS="amd64 hppa ppc x86" =www-misc/awstats-7.1-r1
Erm sorry I'll commit -r2 in a moment as I broke it in a slightly different way,
(In reply to comment #8) > Erm sorry I'll commit -r2 in a moment as I broke it in a slightly different > way, Since I'm unable to test it, I asked Mauro(https://bugs.gentoo.org/show_bug.cgi?id=353716#c9) to test it on his webserver. In r2 there will be the fix based on his report in bug 353716 ?
Compile tested only; ~amd64 ok
Yup, Mauro's report is the one I have to fix, just give me a moment as I'm a bit messed up.
r2 seems to go.
x86 stable
amd64: emerge pass
+ 15 Nov 2011; Tony Vroon <chainsaw@gentoo.org> awstats-7.1-r2.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & + Elijah "Armageddon" El Lazkani in security bug #384237.
Stable for HPPA.
ppc done; closing as last arch
@security, please vote
Thanks, everyone. GLSA Vote: no (only because it sounds like the SQLi isn't readily exploitable).
Vote: NO.
