[Secure-testing-team] Bug#495432: XSS in awstats < 6.9beta (upstream bug 2001151)

[Andreas Henriksson]

Package: awstats
Version: 6.5+dfsg-1
Severity: grave
Tags: security patch
Justification: user security hole


>From http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764

There is a Cross Site Scripting Issue when the action attribute is output
for the form tag. Please see this PoC:
	http://www.example.com/awstats/awstats.pl?config=www.example.com&%22onload=%22alert(document.domain)//

This seems to affect any version below 6.9 beta.

I believe this is the fix:
http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.911
-------------- next part --------------
--- a/wwwroot/cgi-bin/awstats.pl	2008/04/21 21:13:28	1.910
+++ b/wwwroot/cgi-bin/awstats.pl	2008/07/27 17:41:57	1.911
@@ -4406,6 +4406,7 @@
 sub DecodeEncodedString {
 	my $stringtodecode=shift;
 	$stringtodecode =~ tr/\+/ /s;
+	$stringtodecode =~ s/%22//g;
 	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
 	return $stringtodecode;
 }
@@ -4458,9 +4459,12 @@
 #------------------------------------------------------------------------------
 sub CleanXSS {
 	my $stringtoclean=shift;
+	# To avoid html tags and javascript
 	$stringtoclean =~ s/</&lt;/g;
 	$stringtoclean =~ s/>/&gt;/g;
 	$stringtoclean =~ s/|//g;
+	# To avoid onload="
+	$stringtoclean =~ s/onload//g;
 	return $stringtoclean;
 }