Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 384237 (CVE-2009-5020) - <www-misc/awstats-7.1-r2 multiple vulnerabilities in awredir.pl (CVE-2009-5020,CVE-2010-4367)
Summary: <www-misc/awstats-7.1-r2 multiple vulnerabilities in awredir.pl (CVE-2009-502...
Status: RESOLVED FIXED
Alias: CVE-2009-5020
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-23 20:12 UTC by Sean Amoss (RETIRED)
Modified: 2012-03-06 01:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2011-09-23 20:12:07 UTC
From $URL:

"Multiple flaws were reported [1],[2] in current versions of AWStats' awredir.pl
script:

URL redirection abuse:
   
http://site/awredir.pl?key=0f3830803a70cc1636af3548b66ed978&url=http://websecurity.com.ua

SQL injection flaw (only if $TRACEBASE is enabled and DBI is included):
   
http://site/awredir.pl?key=f38ed1cdb04c8bda5386f7755a4e1d3e&url='%20and%20benchmark(10000,md5(now()))/*

XSS flaws:
    http://site/awredir.pl?url=%3Cscript%3Ealert(document.cookie)%3C/script%3E
    http://site/awredir.pl?key=%3Cscript%3Ealert(document.cookie)%3C/script%3E

HTTP Response Splitting flaw:
    http://site/awredir.pl?key=04ed5362e853c72ca275818a7c0c5857&url=%0AHeader:1

CRLF Injection flaw (injection in logs is possible if $DEBUG and/or $TRACEFILE
are enabled):
    http://site/awredir.pl?key=4b9faa91e2529400c4f3c70833b4e4a5&url=%0AText

Out of the above flaws, I believe that only the XSS flaws are feasible to
abuse, as an attacker would need to know the value of $KEYFORMD5, which is
defined in awredir.pl (the key generated is a md5_hash() of the $KEYFORMD5 and
the URL to redirect to, although $KEYFORMD5 can be left blank (although there
are notes in the script itself about a blank value being a security risk)).

Upstream does not yet have a fix available or in CVS [3].

[1] http://seclists.org/fulldisclosure/2011/Sep/234
[2] http://websecurity.com.ua/5380/
[3] http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/ "
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-09-25 13:06:35 UTC
Okay so we wait... we might wait forever honestly...
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-11-11 12:34:05 UTC
7.1-r1 is in tree and solves all of this.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2011-11-11 12:50:43 UTC
Arches, please test and mark stable:

=www-misc/awstats-7.1
Target KEYWORDS="amd64 hppa ppc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-11-11 13:49:19 UTC
@Flameeyes

chmod is called in src_install, please use fperms


Installed correctly on amd64, I don't have a chance to test it on a webserver.
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-11-11 14:03:41 UTC
Thanks, that code has been there for the longest I remember.
Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-11-11 14:04:25 UTC
Actually no it cannot use fperms there because it uses glob expansion.
Comment 7 Agostino Sarubbo gentoo-dev 2011-11-11 15:46:51 UTC
(In reply to comment #6)
> Actually no it cannot use fperms there because it uses glob expansion.

Ok, no problem


(In reply to comment #3)
> Arches, please test and mark stable:
> 
> =www-misc/awstats-7.1
> Target KEYWORDS="amd64 hppa ppc x86"

=www-misc/awstats-7.1-r1
Comment 8 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-11-11 16:07:15 UTC
Erm sorry I'll commit -r2 in a moment as I broke it in a slightly different way,
Comment 9 Agostino Sarubbo gentoo-dev 2011-11-11 16:12:22 UTC
(In reply to comment #8)
> Erm sorry I'll commit -r2 in a moment as I broke it in a slightly different
> way,

Since I'm unable to test it, I asked Mauro(https://bugs.gentoo.org/show_bug.cgi?id=353716#c9) to test it on his webserver. In r2 there will be the fix based on his report in bug 353716 ?
Comment 10 Michael Harrison 2011-11-11 16:20:29 UTC
Compile tested only; ~amd64 ok
Comment 11 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-11-11 16:50:52 UTC
Yup, Mauro's report is the one I have to fix, just give me a moment as I'm a bit messed up.
Comment 12 Agostino Sarubbo gentoo-dev 2011-11-12 10:33:29 UTC
r2 seems to go.
Comment 13 Markus Meier gentoo-dev 2011-11-13 14:48:51 UTC
x86 stable
Comment 14 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-11-15 03:45:28 UTC
amd64: emerge pass
Comment 15 Tony Vroon (RETIRED) gentoo-dev 2011-11-15 09:01:00 UTC
+  15 Nov 2011; Tony Vroon <chainsaw@gentoo.org> awstats-7.1-r2.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+  Elijah "Armageddon" El Lazkani in security bug #384237.
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2011-11-15 15:03:22 UTC
Stable for HPPA.
Comment 17 Brent Baude (RETIRED) gentoo-dev 2012-02-01 17:06:52 UTC
ppc done; closing as last arch
Comment 18 Agostino Sarubbo gentoo-dev 2012-02-01 17:26:11 UTC
@security, please vote
Comment 19 Tim Sammut (RETIRED) gentoo-dev 2012-02-02 02:43:42 UTC
Thanks, everyone. GLSA Vote: no (only because it sounds like the SQLi isn't readily exploitable).
Comment 20 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 01:00:20 UTC
Vote: NO.