Bug 130487 - net-www/awstats - multiple vulnerabilities (CVE-2006-1945|2237)
|
Bug#:
130487
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: major
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: jaervosz@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://pridels.blogspot.com/2006/04/awstats-65-vuln.html
|
|
Summary: net-www/awstats - multiple vulnerabilities (CVE-2006-1945|2237)
|
|
Keywords:
|
|
Status Whiteboard: C1 [glsa] DerCorny
|
|
Opened: 2006-04-19 08:42 0000
|
AWStats contains a flaw that allows a remote cross site scripting attack. This
flaw exists because input passed to "config" paremeter in "awstats.pl" isn't
properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship between the
browser and the server, leading to a loss of integrity.
Also doing XSS vuln. check attacker will get full path disclosure.
ka0ttic pls provide new ebuilds, thank you
*** Bug 130546 has been marked as a duplicate of this bug. ***
This needs an upstream update or a patch
If the update of the stats via web front-end is allowed, a remote attacker can
execute arbitrary code on the server using a specially crafted request
involving the migrate parameter. Input starting with a pipe character ("|")
leads to an insecure call to Perl's open function and the rest of the input
being executed in a shell. The code is run in the context of the process
running the AWStats CGI.
Arbitrary code can be executed by uploading a specially crafted configuration
file if an attacker can put a file on the server with chosen file name and
content (e.g. by using an FTP account on a shared hosting server). In this
configuration file, the LogFile directive can be used to execute shell code
following a pipe character. As above, an open call on unsanitized input is the
source of this vulnerability.
Furthermore, the cross-site scripting vulnerability described in CVE-2006-1945
also exists with the diricons parameter and possibly others as well.
http://www.osreviews.net/reviews/comm/awstats
web-apps team please bump since ka0ttic is not responding.
Hi,
sec-team :
please add CVE-2006-2237 to the summary. It concerns the execution of arbitrary
code in the migrate parameter pointed out in comment #4 by carlo.
web-apps :
awstats-6.6 is out.
Or, if you prefer, a patch is available from debian :
http://security.debian.org/pool/updates/main/a/awstats/awstats_6.4-1sarge2.diff.gz
But i think introducing and stabilizing 6.6 is the best choice, since it
corrects the other vulns (CVE-2006-1945 particularly)
web-apps, please act ? we're so late... Or, sec-team, we should try to bump an
ebuild ourserlves as the policy says.
arches pls test and stable, thank you
If 6.5 has a vulnerability, and 6.6 slots, how does that fix 6.5, since it
stays on your system and available? Shouldn't 6.6 replace 6.5? This way, if
people get the upgrade without knowing about the CVE, then they might not
switch to the new version...
Anyway, amd64 stable.
(In reply to comment #11)
> If 6.5 has a vulnerability, and 6.6 slots, how does that fix 6.5, since it
> stays on your system and available? Shouldn't 6.6 replace 6.5?
Fixed (no revbump), the slotting was indeed broken...
regarding #14:
When I try to upgrade to awstats-6.6, portage still wants to slot it:
# emerge -pv awstats
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild NS ] net-www/awstats-6.6 USE="-vhosts" 0 kB
Total size of downloads: 0 kB
I think that I have the most recent version of the ebuild:
$ ls -l /usr/portage/net-www/awstats/awstats-6.6.ebuild
-rw-r--r-- 1 root root 4012 May 21 01:08
/usr/portage/net-www/awstats/awstats-6.6.ebuild
What am I doing wrong?
thanks jakub - back into ebuild status. ka0ttic please revbump 6.5 with the
patches applied, thanks
BTW, we should add dev-perl/URI dep (Bug 122913) while fixing this.
ok, seems like there is no maintainer and nobody bothers to bump it, so i
masked it since the revbump takes longer than i thought ... will send a mail to
-dev soon, if nobody replies in 24h then we'll probably have to issue a
tempglsa (should've been done looong ago ...)
net-www/awstats-6.5-r1 was just added to the tree, with jakub's patch included.
Arch teams: keywording time!
Best regards, CHTEKK.
arches, please test and mark 6.5-r1 as stable, thanks
a 'thank you' also flies out to jakub and CHTEKK
awstats-6.5-r1 stable on alpha and amd64.
