Bug#365909: Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter

Fri May 12 08:22:18 UTC 2006

How can the diricons and config parameters be exploited?  From a quick
glance I can't find an open associated with $DirIcons.

I assume $SiteConfig leads to an open() call.

Charles Fry wrote:
> Index: awstats-6.5/wwwroot/cgi-bin/awstats.pl
> ===================================================================
> --- awstats-6.5.orig/wwwroot/cgi-bin/awstats.pl	2005-11-24 15:11:19.000000000 -0500
> +++ awstats-6.5/wwwroot/cgi-bin/awstats.pl	2006-05-05 16:43:12.000000000 -0400
> @@ -5542,8 +5542,8 @@
>  	# No update but report by default when run from a browser
>  	$UpdateStats=($QueryString=~/update=1/i?1:0);
>  
> -	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&DecodeEncodedString("$1"); }
> -	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons=&DecodeEncodedString("$1"); }
> +	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize(&DecodeEncodedString("$1")); }
> +	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons=&Sanitize(&DecodeEncodedString("$1")); }
>  	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
>  	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
>  	# All filters
> @@ -5561,7 +5561,7 @@
>  
>  	# If migrate
>  	if ($QueryString =~ /(^|-|&|&amp;)migrate=([^&]+)/i)	{
> -		$MigrateStats=&DecodeEncodedString("$2"); 
> +		$MigrateStats=&Sanitize(&DecodeEncodedString("$2"));
>  		$MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
>  		$SiteConfig=$5?$5:'xxx'; $SiteConfig =~ s/^\.//;		# SiteConfig is used to find config file
>  	}
> @@ -5591,8 +5591,8 @@
>  	# Update with no report by default when run from command line
>  	$UpdateStats=1;
>  
> -	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig="$1"; }
> -	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons="$1"; }
> +	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize("$1"); }
> +	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons=&Sanitize("$1"); }
>  	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize("$1",1); }
>  	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize("$1"); }
>  	# All filters

Regards,

	Joey

-- 
It's time to close the windows.

Please always Cc to me when replying to me on the lists.