"Multiple flaws were reported , in current versions of AWStats' awredir.pl
URL redirection abuse:
SQL injection flaw (only if $TRACEBASE is enabled and DBI is included):
HTTP Response Splitting flaw:
CRLF Injection flaw (injection in logs is possible if $DEBUG and/or $TRACEFILE
Out of the above flaws, I believe that only the XSS flaws are feasible to
abuse, as an attacker would need to know the value of $KEYFORMD5, which is
defined in awredir.pl (the key generated is a md5_hash() of the $KEYFORMD5 and
the URL to redirect to, although $KEYFORMD5 can be left blank (although there
are notes in the script itself about a blank value being a security risk)).
Upstream does not yet have a fix available or in CVS .
 http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/ "
Okay so we wait... we might wait forever honestly...
7.1-r1 is in tree and solves all of this.
Arches, please test and mark stable:
Target KEYWORDS="amd64 hppa ppc x86"
chmod is called in src_install, please use fperms
Installed correctly on amd64, I don't have a chance to test it on a webserver.
Thanks, that code has been there for the longest I remember.
Actually no it cannot use fperms there because it uses glob expansion.
(In reply to comment #6)
> Actually no it cannot use fperms there because it uses glob expansion.
Ok, no problem
(In reply to comment #3)
> Arches, please test and mark stable:
> Target KEYWORDS="amd64 hppa ppc x86"
Erm sorry I'll commit -r2 in a moment as I broke it in a slightly different way,
(In reply to comment #8)
> Erm sorry I'll commit -r2 in a moment as I broke it in a slightly different
Since I'm unable to test it, I asked Mauro(https://bugs.gentoo.org/show_bug.cgi?id=353716#c9) to test it on his webserver. In r2 there will be the fix based on his report in bug 353716 ?
Compile tested only; ~amd64 ok
Yup, Mauro's report is the one I have to fix, just give me a moment as I'm a bit messed up.
r2 seems to go.
amd64: emerge pass
+ 15 Nov 2011; Tony Vroon <email@example.com> awstats-7.1-r2.ebuild:
+ Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+ Elijah "Armageddon" El Lazkani in security bug #384237.
Stable for HPPA.
ppc done; closing as last arch
@security, please vote
Thanks, everyone. GLSA Vote: no (only because it sounds like the SQLi isn't readily exploitable).