Summary: | net-www/awstats - multiple vulnerabilities (CVE-2006-1945|2237) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | ka0ttic, matthew.cline, portage, sgtphou, tcort, web-apps | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://pridels.blogspot.com/2006/04/awstats-65-vuln.html | ||||||
Whiteboard: | C1 [glsa] DerCorny | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2006-04-19 08:42:33 UTC
ka0ttic pls provide new ebuilds, thank you *** Bug 130546 has been marked as a duplicate of this bug. *** This needs an upstream update or a patch If the update of the stats via web front-end is allowed, a remote attacker can execute arbitrary code on the server using a specially crafted request involving the migrate parameter. Input starting with a pipe character ("|") leads to an insecure call to Perl's open function and the rest of the input being executed in a shell. The code is run in the context of the process running the AWStats CGI. Arbitrary code can be executed by uploading a specially crafted configuration file if an attacker can put a file on the server with chosen file name and content (e.g. by using an FTP account on a shared hosting server). In this configuration file, the LogFile directive can be used to execute shell code following a pipe character. As above, an open call on unsanitized input is the source of this vulnerability. Furthermore, the cross-site scripting vulnerability described in CVE-2006-1945 also exists with the diricons parameter and possibly others as well. http://www.osreviews.net/reviews/comm/awstats Fixed in awstats 6.6 http://awstats.sourceforge.net/awstats_security_news.php --> [ebuild] and CVE-2006-1945 web-apps team please bump since ka0ttic is not responding. Hi, sec-team : please add CVE-2006-2237 to the summary. It concerns the execution of arbitrary code in the migrate parameter pointed out in comment #4 by carlo. web-apps : awstats-6.6 is out. Or, if you prefer, a patch is available from debian : http://security.debian.org/pool/updates/main/a/awstats/awstats_6.4-1sarge2.diff.gz But i think introducing and stabilizing 6.6 is the best choice, since it corrects the other vulns (CVE-2006-1945 particularly) web-apps, please act ? we're so late... Or, sec-team, we should try to bump an ebuild ourserlves as the policy says. i'd even tend to mask it 6.6 in CVS arches pls test and stable, thank you If 6.5 has a vulnerability, and 6.6 slots, how does that fix 6.5, since it stays on your system and available? Shouldn't 6.6 replace 6.5? This way, if people get the upgrade without knowing about the CVE, then they might not switch to the new version... Anyway, amd64 stable. alpha done. ppc stable (In reply to comment #11) > If 6.5 has a vulnerability, and 6.6 slots, how does that fix 6.5, since it > stays on your system and available? Shouldn't 6.6 replace 6.5? Fixed (no revbump), the slotting was indeed broken... x86 done ready for glsa regarding #14: When I try to upgrade to awstats-6.6, portage still wants to slot it: # emerge -pv awstats These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild NS ] net-www/awstats-6.6 USE="-vhosts" 0 kB Total size of downloads: 0 kB I think that I have the most recent version of the ebuild: $ ls -l /usr/portage/net-www/awstats/awstats-6.6.ebuild -rw-r--r-- 1 root root 4012 May 21 01:08 /usr/portage/net-www/awstats/awstats-6.6.ebuild What am I doing wrong? Created attachment 87626 [details, diff] awstats-6.5-CVE-2006-2237-CVE-2006-1945.diff OK, since awstats-6.6 is pretty much broken (see Bug 134296) and also not considered stable upstream, I've hacked a 6.5 patch for CVE-2006-2237 and CVE-2006-1945 - based on Debian patches here: http://debian.osuosl.org/debian/pool/main/a/awstats/awstats_6.5-2.diff.gz Please, test this instead... thanks jakub - back into ebuild status. ka0ttic please revbump 6.5 with the patches applied, thanks BTW, we should add dev-perl/URI dep (Bug 122913) while fixing this. ok, seems like there is no maintainer and nobody bothers to bump it, so i masked it since the revbump takes longer than i thought ... will send a mail to -dev soon, if nobody replies in 24h then we'll probably have to issue a tempglsa (should've been done looong ago ...) net-www/awstats-6.5-r1 was just added to the tree, with jakub's patch included. Arch teams: keywording time! Best regards, CHTEKK. arches, please test and mark 6.5-r1 as stable, thanks a 'thank you' also flies out to jakub and CHTEKK x86 done again ppc stable awstats-6.5-r1 stable on alpha and amd64. ready for glsa GLSA 200606-06 |