Bug#365909: Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability
exists also with the 'diricons' parameter
Martin Schulze
joey at infodrom.org
Fri May 12 08:22:18 UTC 2006
How can the diricons and config parameters be exploited? From a quick
glance I can't find an open associated with $DirIcons.
I assume $SiteConfig leads to an open() call.
Charles Fry wrote:
> Index: awstats-6.5/wwwroot/cgi-bin/awstats.pl
> ===================================================================
> --- awstats-6.5.orig/wwwroot/cgi-bin/awstats.pl 2005-11-24 15:11:19.000000000 -0500
> +++ awstats-6.5/wwwroot/cgi-bin/awstats.pl 2006-05-05 16:43:12.000000000 -0400
> @@ -5542,8 +5542,8 @@
> # No update but report by default when run from a browser
> $UpdateStats=($QueryString=~/update=1/i?1:0);
>
> - if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&DecodeEncodedString("$1"); }
> - if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&DecodeEncodedString("$1"); }
> + if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&Sanitize(&DecodeEncodedString("$1")); }
> + if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&Sanitize(&DecodeEncodedString("$1")); }
> if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
> if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
> # All filters
> @@ -5561,7 +5561,7 @@
>
> # If migrate
> if ($QueryString =~ /(^|-|&|&)migrate=([^&]+)/i) {
> - $MigrateStats=&DecodeEncodedString("$2");
> + $MigrateStats=&Sanitize(&DecodeEncodedString("$2"));
> $MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
> $SiteConfig=$5?$5:'xxx'; $SiteConfig =~ s/^\.//; # SiteConfig is used to find config file
> }
> @@ -5591,8 +5591,8 @@
> # Update with no report by default when run from command line
> $UpdateStats=1;
>
> - if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig="$1"; }
> - if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons="$1"; }
> + if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&Sanitize("$1"); }
> + if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&Sanitize("$1"); }
> if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&Sanitize("$1",1); }
> if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&Sanitize("$1"); }
> # All filters
Regards,
Joey
--
It's time to close the windows.
Please always Cc to me when replying to me on the lists.
More information about the Pkg-awstats-devel
mailing list