Bug 384237 (CVE-2009-5020)

Summary:	<www-misc/awstats-7.1-r2 multiple vulnerabilities in awredir.pl (CVE-2009-5020,CVE-2010-4367)
Product:	Gentoo Security	Reporter:	Sean Amoss (RETIRED) <ackle>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	flameeyes, web-apps
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=740926
Whiteboard:	B4 [noglsa]
Package list:		Runtime testing required:	---

Description Sean Amoss (RETIRED) gentoo-dev

2011-09-23 20:12:07 UTC

From $URL:

"Multiple flaws were reported [1],[2] in current versions of AWStats' awredir.pl
script:

URL redirection abuse:
   
http://site/awredir.pl?key=0f3830803a70cc1636af3548b66ed978&url=http://websecurity.com.ua

SQL injection flaw (only if $TRACEBASE is enabled and DBI is included):
   
http://site/awredir.pl?key=f38ed1cdb04c8bda5386f7755a4e1d3e&url='%20and%20benchmark(10000,md5(now()))/*

XSS flaws:
    http://site/awredir.pl?url=%3Cscript%3Ealert(document.cookie)%3C/script%3E
    http://site/awredir.pl?key=%3Cscript%3Ealert(document.cookie)%3C/script%3E

HTTP Response Splitting flaw:
    http://site/awredir.pl?key=04ed5362e853c72ca275818a7c0c5857&url=%0AHeader:1

CRLF Injection flaw (injection in logs is possible if $DEBUG and/or $TRACEFILE
are enabled):
    http://site/awredir.pl?key=4b9faa91e2529400c4f3c70833b4e4a5&url=%0AText

Out of the above flaws, I believe that only the XSS flaws are feasible to
abuse, as an attacker would need to know the value of $KEYFORMD5, which is
defined in awredir.pl (the key generated is a md5_hash() of the $KEYFORMD5 and
the URL to redirect to, although $KEYFORMD5 can be left blank (although there
are notes in the script itself about a blank value being a security risk)).

Upstream does not yet have a fix available or in CVS [3].

[1] http://seclists.org/fulldisclosure/2011/Sep/234
[2] http://websecurity.com.ua/5380/
[3] http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/ "

Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev

2011-09-25 13:06:35 UTC

Okay so we wait... we might wait forever honestly...

Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev

2011-11-11 12:34:05 UTC

7.1-r1 is in tree and solves all of this.

Comment 3 Sean Amoss (RETIRED) gentoo-dev

2011-11-11 12:50:43 UTC

Arches, please test and mark stable:

=www-misc/awstats-7.1
Target KEYWORDS="amd64 hppa ppc x86"

Comment 4 Agostino Sarubbo gentoo-dev

2011-11-11 13:49:19 UTC

@Flameeyes

chmod is called in src_install, please use fperms


Installed correctly on amd64, I don't have a chance to test it on a webserver.

Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev

2011-11-11 14:03:41 UTC

Thanks, that code has been there for the longest I remember.

Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev

2011-11-11 14:04:25 UTC

Actually no it cannot use fperms there because it uses glob expansion.

Comment 7 Agostino Sarubbo gentoo-dev

2011-11-11 15:46:51 UTC

(In reply to comment #6)
> Actually no it cannot use fperms there because it uses glob expansion.

Ok, no problem


(In reply to comment #3)
> Arches, please test and mark stable:
> 
> =www-misc/awstats-7.1
> Target KEYWORDS="amd64 hppa ppc x86"

=www-misc/awstats-7.1-r1

Comment 8 Diego Elio Pettenò (RETIRED) gentoo-dev

2011-11-11 16:07:15 UTC

Erm sorry I'll commit -r2 in a moment as I broke it in a slightly different way,

Comment 9 Agostino Sarubbo gentoo-dev

2011-11-11 16:12:22 UTC

(In reply to comment #8)
> Erm sorry I'll commit -r2 in a moment as I broke it in a slightly different
> way,

Since I'm unable to test it, I asked Mauro(https://bugs.gentoo.org/show_bug.cgi?id=353716#c9) to test it on his webserver. In r2 there will be the fix based on his report in bug 353716 ?

Comment 10 Michael Harrison 2011-11-11 16:20:29 UTC

Compile tested only; ~amd64 ok

Comment 11 Diego Elio Pettenò (RETIRED) gentoo-dev

2011-11-11 16:50:52 UTC

Yup, Mauro's report is the one I have to fix, just give me a moment as I'm a bit messed up.

Comment 12 Agostino Sarubbo gentoo-dev

2011-11-12 10:33:29 UTC

r2 seems to go.

Comment 13 Markus Meier gentoo-dev

2011-11-13 14:48:51 UTC

x86 stable

Comment 14 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-11-15 03:45:28 UTC

amd64: emerge pass

Comment 15 Tony Vroon (RETIRED) gentoo-dev

2011-11-15 09:01:00 UTC

+  15 Nov 2011; Tony Vroon <chainsaw@gentoo.org> awstats-7.1-r2.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+  Elijah "Armageddon" El Lazkani in security bug #384237.

Comment 16 Jeroen Roovers (RETIRED) gentoo-dev

2011-11-15 15:03:22 UTC

Stable for HPPA.

Comment 17 Brent Baude (RETIRED) gentoo-dev

2012-02-01 17:06:52 UTC

ppc done; closing as last arch

Comment 18 Agostino Sarubbo gentoo-dev

2012-02-01 17:26:11 UTC

@security, please vote

Comment 19 Tim Sammut (RETIRED) gentoo-dev

2012-02-02 02:43:42 UTC

Thanks, everyone. GLSA Vote: no (only because it sounds like the SQLi isn't readily exploitable).

Comment 20 Stefan Behte (RETIRED) gentoo-dev

2012-03-06 01:00:20 UTC

Vote: NO.