AWStats contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "config" paremeter in "awstats.pl" isn't properly sanitised before being returned to the user. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. Also doing XSS vuln. check attacker will get full path disclosure.
ka0ttic pls provide new ebuilds, thank you
*** Bug 130546 has been marked as a duplicate of this bug. ***
This needs an upstream update or a patch
If the update of the stats via web front-end is allowed, a remote attacker can execute arbitrary code on the server using a specially crafted request involving the migrate parameter. Input starting with a pipe character ("|") leads to an insecure call to Perl's open function and the rest of the input being executed in a shell. The code is run in the context of the process running the AWStats CGI. Arbitrary code can be executed by uploading a specially crafted configuration file if an attacker can put a file on the server with chosen file name and content (e.g. by using an FTP account on a shared hosting server). In this configuration file, the LogFile directive can be used to execute shell code following a pipe character. As above, an open call on unsanitized input is the source of this vulnerability. Furthermore, the cross-site scripting vulnerability described in CVE-2006-1945 also exists with the diricons parameter and possibly others as well. http://www.osreviews.net/reviews/comm/awstats
Fixed in awstats 6.6 http://awstats.sourceforge.net/awstats_security_news.php --> [ebuild] and CVE-2006-1945
web-apps team please bump since ka0ttic is not responding.
Hi, sec-team : please add CVE-2006-2237 to the summary. It concerns the execution of arbitrary code in the migrate parameter pointed out in comment #4 by carlo. web-apps : awstats-6.6 is out. Or, if you prefer, a patch is available from debian : http://security.debian.org/pool/updates/main/a/awstats/awstats_6.4-1sarge2.diff.gz But i think introducing and stabilizing 6.6 is the best choice, since it corrects the other vulns (CVE-2006-1945 particularly) web-apps, please act ? we're so late... Or, sec-team, we should try to bump an ebuild ourserlves as the policy says.
i'd even tend to mask it
6.6 in CVS
arches pls test and stable, thank you
If 6.5 has a vulnerability, and 6.6 slots, how does that fix 6.5, since it stays on your system and available? Shouldn't 6.6 replace 6.5? This way, if people get the upgrade without knowing about the CVE, then they might not switch to the new version... Anyway, amd64 stable.
alpha done.
ppc stable
(In reply to comment #11) > If 6.5 has a vulnerability, and 6.6 slots, how does that fix 6.5, since it > stays on your system and available? Shouldn't 6.6 replace 6.5? Fixed (no revbump), the slotting was indeed broken...
x86 done
ready for glsa
regarding #14: When I try to upgrade to awstats-6.6, portage still wants to slot it: # emerge -pv awstats These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild NS ] net-www/awstats-6.6 USE="-vhosts" 0 kB Total size of downloads: 0 kB I think that I have the most recent version of the ebuild: $ ls -l /usr/portage/net-www/awstats/awstats-6.6.ebuild -rw-r--r-- 1 root root 4012 May 21 01:08 /usr/portage/net-www/awstats/awstats-6.6.ebuild What am I doing wrong?
Created attachment 87626 [details, diff] awstats-6.5-CVE-2006-2237-CVE-2006-1945.diff OK, since awstats-6.6 is pretty much broken (see Bug 134296) and also not considered stable upstream, I've hacked a 6.5 patch for CVE-2006-2237 and CVE-2006-1945 - based on Debian patches here: http://debian.osuosl.org/debian/pool/main/a/awstats/awstats_6.5-2.diff.gz Please, test this instead...
thanks jakub - back into ebuild status. ka0ttic please revbump 6.5 with the patches applied, thanks
BTW, we should add dev-perl/URI dep (Bug 122913) while fixing this.
ok, seems like there is no maintainer and nobody bothers to bump it, so i masked it since the revbump takes longer than i thought ... will send a mail to -dev soon, if nobody replies in 24h then we'll probably have to issue a tempglsa (should've been done looong ago ...)
net-www/awstats-6.5-r1 was just added to the tree, with jakub's patch included. Arch teams: keywording time! Best regards, CHTEKK.
arches, please test and mark 6.5-r1 as stable, thanks a 'thank you' also flies out to jakub and CHTEKK
x86 done again
awstats-6.5-r1 stable on alpha and amd64.
GLSA 200606-06