[awstats/f16] fix multiple XSS and sql injection flaws (#740926)

Petr Lautrbach plautrba at fedoraproject.org
Thu Oct 6 14:53:32 UTC 2011 

commit 646a4fa232360063bcbee1fcaee6382639640108
Author: Petr Lautrbach <plautrba at redhat.com>
Date:   Thu Oct 6 16:44:13 2011 +0200

    fix multiple XSS and sql injection flaws (#740926)

 awstats-awredir.pl-sanitize-parameters.patch |   67 ++++++++++++++++++++++++++
 awstats.spec                                 |    2 +
 2 files changed, 69 insertions(+), 0 deletions(-)
---
diff --git a/awstats-awredir.pl-sanitize-parameters.patch b/awstats-awredir.pl-sanitize-parameters.patch
new file mode 100644
index 0000000..49c8f71
--- /dev/null
+++ b/awstats-awredir.pl-sanitize-parameters.patch
@@ -0,0 +1,67 @@
+diff --git a/wwwroot/cgi-bin/awredir.pl b/wwwroot/cgi-bin/awredir.pl
+index 35ee82d..3feeb83 100755
+--- a/wwwroot/cgi-bin/awredir.pl
++++ b/wwwroot/cgi-bin/awredir.pl
+@@ -8,6 +8,8 @@
+ 
+ #use DBD::mysql;
+ use Digest::MD5 qw(md5 md5_hex md5_base64);
++use HTML::Entities;
++use URI::Escape;
+ 
+ 
+ #-------------------------------------------------------
+@@ -116,26 +118,27 @@ if ($ENV{QUERY_STRING} =~ /tag=\"?([^\"&]+)\"?/) { $Tag=$1; }
+ 
+ $Key='NOKEY';
+ if ($ENV{QUERY_STRING} =~ /key=\"?([^\"&]+)\"?/) { $Key=$1; }
++$KeyEncoded=HTML::Entities::encode($Key);
+ 
+ # Extract url to redirect to
+ $Url=$ENV{QUERY_STRING};
+ if ($Url =~ /url=\"([^\"]+)\"/) { $Url=$1; }
+ elsif ($Url =~ /url=(.+)$/) { $Url=$1; }
+ $Url = DecodeEncodedString($Url);
+-$UrlParam=$Url;
++$UrlEncoded=HTML::Entities::encode($Url);
+ 
+-if (! $UrlParam) {
++if (! $Url) {
+         error("Error: Bad use of $PROG. To redirect an URL with $PROG, use the following syntax:<br><i>/cgi-bin/$PROG.pl?url=http://urltogo</i>");
+ }
+ 
++if ($KEYFORMD5 && ($Key ne md5_hex($KEYFORMD5.$Url))) {
++#       error("Error: Bad value for parameter key=".$Key." to allow a redirect to ".$UrlEncoded." - ".$KEYFORMD5." - ".md5_hex($KEYFORMD5.$UrlEncoded) );
++        error("Error: Bad value for parameter key=".$KeyEncoded." to allow a redirect to ".$UrlEncoded.". Key must be hexadecimal md5(KEYFORMD5.".$UrlEncoded.") where KEYFORMD5 is value hardcoded into awredir.pl. Note: You can remove use of key by setting KEYFORMD5 to empty string in script awredir.pl");
++}
++
+ if ($Url !~ /^http/i) { $Url = "http://".$Url; }
+ if ($DEBUG) { print LOGFILE "Url=$Url\n"; }
+ 
+-if ($KEYFORMD5 && ($Key ne md5_hex($KEYFORMD5.$UrlParam))) {
+-#       error("Error: Bad value for parameter key=".$Key." to allow a redirect to ".$UrlParam." - ".$KEYFORMD5." - ".md5_hex($KEYFORMD5.$UrlParam) );
+-        error("Error: Bad value for parameter key=".$Key." to allow a redirect to ".$UrlParam.". Key must be hexadecimal md5(KEYFORMD5.".$UrlParam.") where KEYFORMD5 is value hardcoded into awredir.pl. Note: You can remove use of key by setting KEYFORMD5 to empty string in script awredir.pl");
+-}
+-
+ 
+ # Get date
+ ($nowsec,$nowmin,$nowhour,$nowday,$nowmonth,$nowyear,$nowwday,$nowyday,$nowisdst) = localtime(time);
+@@ -151,8 +154,8 @@ if ($TRACEBASE == 1) {
+ 	if ($ENV{REMOTE_ADDR} !~ /$EXCLUDEIP/) {
+ 		if ($DEBUG == 1) { print LOGFILE "Execution requete Update sur BASE=$BASE, USER=$USER, PASS=$PASS\n"; }
+ 		my $dbh = DBI->connect("DBI:mysql:$BASE", $USER, $PASS) || die "Can't connect to DBI:mysql:$BASE: $dbh->errstr\n";
+-		my $sth = $dbh->prepare("UPDATE T_LINKS set HITS_LINKS = HIT_LINKS+1 where URL_LINKS = '$Url'");
+-		$sth->execute || error("Error: Unable execute query:$dbh->err, $dbh->errstr");
++		my $sth = $dbh->prepare("UPDATE T_LINKS set HITS_LINKS = HIT_LINKS+1 where URL_LINKS = ?");
++		$sth->execute($Url) || error("Error: Unable execute query:$dbh->err, $dbh->errstr");
+ 		$sth->finish;
+ 		$dbh->disconnect;
+ 		if ($DEBUG == 1) { print LOGFILE "Execution requete Update - OK\n"; }
+@@ -167,6 +170,7 @@ if ($TRACEFILE == 1) {
+ 	}
+ }
+ 
++$Url=uri_escape($Url);
+ # Redir html instructions
+ print "Location: $Url\n\n";
+ 
diff --git a/awstats.spec b/awstats.spec
index 8e30227..16aca65 100644
--- a/awstats.spec
+++ b/awstats.spec
@@ -6,6 +6,7 @@ License:    GPLv2
 Group:      Applications/Internet
 URL:        http://awstats.sourceforge.net
 Source0:    http://downloads.sourceforge.net/project/awstats/AWStats/%{version}/awstats-%{version}.tar.gz
+Patch0:     awstats-awredir.pl-sanitize-parameters.patch
 
 BuildArch:  noarch
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -38,6 +39,7 @@ http://localhost/awstats/awstats.pl
 
 %prep
 %setup -q
+%patch0 -p 1
 # Fix style sheets.
 perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*
 # Fix some bad file permissions here for convenience.

More information about the scm-commits mailing list