[awstats] fix potential XSS attacks - CVE-2012-4547 (#871159)
plautrba
plautrba at fedoraproject.org
Fri Nov 16 17:00:07 UTC 2012
commit 50a915164d55ad44fadfe6fa6823661668ca37e1
Author: Petr Lautrbach <plautrba at redhat.com>
Date: Fri Nov 16 16:00:38 2012 +0100
fix potential XSS attacks - CVE-2012-4547 (#871159)
awstats-7.0-cleanxss.patch | 43 +++++++++++++++++++++++++++++++++++++++++++
awstats.spec | 3 +++
2 files changed, 46 insertions(+), 0 deletions(-)
---
diff --git a/awstats-7.0-cleanxss.patch b/awstats-7.0-cleanxss.patch
new file mode 100644
index 0000000..98f10a7
--- /dev/null
+++ b/awstats-7.0-cleanxss.patch
@@ -0,0 +1,43 @@
+diff -up awstats-7.0/wwwroot/cgi-bin/awredir.pl.cleanxss awstats-7.0/wwwroot/cgi-bin/awredir.pl
+--- awstats-7.0/wwwroot/cgi-bin/awredir.pl.cleanxss 2012-11-16 15:38:42.077347478 +0100
++++ awstats-7.0/wwwroot/cgi-bin/awredir.pl 2012-11-16 15:53:28.893552096 +0100
+@@ -75,6 +75,27 @@ sub DecodeEncodedString {
+ return $stringtodecode;
+ }
+
++#------------------------------------------------------------------------------
++# Function: Clean a string of HTML tags to avoid 'Cross Site Scripting attacks'
++# and clean | char.
++# Parameters: stringtoclean
++# Input: None
++# Output: None
++# Return: cleanedstring
++#------------------------------------------------------------------------------
++sub CleanXSS {
++ my $stringtoclean = shift;
++
++ # To avoid html tags and javascript
++ $stringtoclean =~ s/</</g;
++ $stringtoclean =~ s/>/>/g;
++ $stringtoclean =~ s/|//g;
++
++ # To avoid onload="
++ $stringtoclean =~ s/onload//g;
++ return $stringtoclean;
++}
++
+
+ #-------------------------------------------------------
+ # MAIN
+@@ -127,6 +148,11 @@ elsif ($Url =~ /url=(.+)$/) { $Url=$1; }
+ $Url = DecodeEncodedString($Url);
+ $UrlEncoded=HTML::Entities::encode($Url);
+
++# Sanitize parameters
++$Tag=CleanXSS($Tag);
++$Key=CleanXSS($Key);
++$UrlEncoded=CleanXSS($UrlEncoded);
++
+ if (! $Url) {
+ error("Error: Bad use of $PROG. To redirect an URL with $PROG, use the following syntax:<br><i>/cgi-bin/$PROG.pl?url=http://urltogo</i>");
+ }
diff --git a/awstats.spec b/awstats.spec
index 46e5905..0682a82 100644
--- a/awstats.spec
+++ b/awstats.spec
@@ -9,6 +9,8 @@ Source0: http://downloads.sourceforge.net/project/awstats/AWStats/%{version}/
Patch0: use-if-instead-of-switch-statement.patch
Patch1: awstats-awredir.pl-sanitize-parameters.patch
Patch2: awstats-perl-5.14.patch
+# CVE-2012-4547, #871159
+Patch3: awstats-7.0-cleanxss.patch
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -43,6 +45,7 @@ http://localhost/awstats/awstats.pl
%setup -q
%patch1 -p 1
%patch2 -p 1
+%patch3 -p 1 -b .cleanxss
# Fix style sheets.
perl -pi -e 's,/icon,/awstatsicons,g' wwwroot/css/*
# Fix some bad file permissions here for convenience.
More information about the scm-commits
mailing list