From CVE-2008-3714: ----- Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string. ----- Fix: The following patch adds fix obtained from Debian: The following VuXML entry should be evaluated and added: <vuln vid="27d78386-d35f-11dd-b800-001b77d09812"> <topic>awstats -- multiple XSS vulnerabilities</topic> <affects> <package> <name>awstats</name> <range><lt>6.8_2,1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Secunia reports:</p> <blockquote cite="http://secunia.com/advisories/31519"> <p>Morgan Todd has discovered a vulnerability in AWStats, which can be exploited by malicious people to conduct cross-site scripting attacks.</p> <p>Input passed in the URL to awstats.pl is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.</p> <p>Successful exploitation requires that the application is running as a CGI script.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-3714</cvename> <cvename>CVE-2008-5080</cvename> <url>http://secunia.com/advisories/31519</url> <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432</url> </references> <dates> <discovery>03-12-2008</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here -----9g4ERFWno5NLcGLiEVmdtnxLzGrInZ3NGRfPkw6BD8WxirqN Content-Type: text/plain; name="fix-XSS-CVE-2008-3714-and-CVE-2008-508.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="fix-XSS-CVE-2008-3714-and-CVE-2008-508.diff" From 33fb2589f0e4764ffda167ec58c40fe78d00e424 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Fri, 26 Dec 2008 18:56:37 +0300 Add Debian fix for the CVE-2008-3714. CVE-2008-5080 and Debian bugreport explains why the upstream fix was very incomplete. Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- www/awstats/Makefile | 2 +- www/awstats/files/patch-CVE-2008-3714 | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletions(-) create mode 100644 www/awstats/files/patch-CVE-2008-3714 diff --git a/www/awstats/Makefile b/www/awstats/Makefile index 45aa0cd..6b0b997 100644 --- a/www/awstats/Makefile +++ b/www/awstats/Makefile @@ -7,7 +7,7 @@ PORTNAME= awstats PORTVERSION= 6.8 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= www MASTER_SITES= SF diff --git a/www/awstats/files/patch-CVE-2008-3714 b/www/awstats/files/patch-CVE-2008-3714 new file mode 100644 index 0000000..0eacb5e --- /dev/null +++ b/www/awstats/files/patch-CVE-2008-3714 @@ -0,0 +1,20 @@ +Fixes XSS in awstats.pl: CVE-2008-3714 + +Please, note that the upstream fix, + http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.911 +is incomplete and can be easily curcumvented, + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5080 + +Obtained from: Debian, http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=33;filename=awstats-6.7.dfsg-5_6.7.dfsg-5.1.patch;att=1;bug=495432 +See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432 + +--- wwwroot/cgi-bin/awstats.pl.orig 2008-12-26 18:45:31.000000000 +0300 ++++ wwwroot/cgi-bin/awstats.pl 2008-12-26 18:46:40.000000000 +0300 +@@ -4407,6 +4407,7 @@ + my $stringtodecode=shift; + $stringtodecode =~ tr/\+/ /s; + $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg; ++ $stringtodecode =~ s/["']//g; + return $stringtodecode; + } + -- 1.6.0.6 How-To-Repeat: Look at the following documents: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3714 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432
Responsible Changed From-To: freebsd-ports-bugs->miwi miwi@ wants his PRs (via the GNATS Auto Assign Tool)
Maintainer of www/awstats, Please note that PR ports/129957 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/129957 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Please, commit this patch
State Changed From-To: feedback->suspended Maintainer approved, but also approved ports/130143 which contains an update. However, that one doesn't contain the VuXML entry, so mark this as 'suspended' to flag that.
chinsan 2009-01-04 06:18:02 UTC FreeBSD ports repository Modified files: www/awstats Makefile distinfo pkg-plist www/awstats/files patch-wwwroot-cgi-bin-awstats.pl Added files: www/awstats/files patch-CVE-2008-3714 Log: - Update to 6.9 Changes 6.9: New features/improvements: - With postfix that support DSN (Delivery Status Notifications) we exclude some lines to avoid counting mails twice in maillogconvert.pl script. - Logresolvemerge.pl support FreeRADIUS logs or anything else using (the fixed length!) ctime format timestamp. - Add option stoponfirsteof in logresolvemerge tool. - Add patch to support host_proxy tag in LogFormat (for Apache LogFormat containing %{X-Forwarded-For}i) - Renamed Add to favourites on "Hit on favicon". - Increase robots, search engines database (Added Google Chrome browser, better Vista, WII, detection, ...) - Update languages files. - Added a lot of patch from sourceforge. Fixes: - Fixed broken maxmind citi, org and isp plugins. - Remove in name html tag to have HtmlHeadSection first. - Fix: [ 2001151 ] Security fix. - Fix: [ 2038681 ] missing <br _/_> in plugins/geoip_org_maxmind.pm - Fix: [ 1921942 ] html footer is missing from the allextraN report. - Fix: [ 1943466 ] error geoip_city_maxmind Can't locate object method "record_ - Fix: [ 1808277 ] Incorrect function call in geoip_isp_maxmind.pm - Fix: Full list of extrasections was not ordered correctly - A lot of other fixes. - Added missing icons Other/Documentation: - None - Fix CVE-2008-3714 from the upstream (Sec: Enhance security of sanitizing parameters) http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.925&r2=1.926 PR: ports/129957, ports/130143 Submitted by: Eygene Ryabinkin <rea-fbsd _at\ codelabs.ru>, Naram Qashat <cyberbotx -at\ cyberbotx.com> Approved by: Alex Samorukov (maintainer) Security: http://secunia.com/advisories/31519 Revision Changes Path 1.41 +10 -8 ports/www/awstats/Makefile 1.24 +3 -3 ports/www/awstats/distinfo 1.1 +22 -0 ports/www/awstats/files/patch-CVE-2008-3714 (new) 1.3 +11 -11 ports/www/awstats/files/patch-wwwroot-cgi-bin-awstats.pl 1.23 +13 -0 ports/www/awstats/pkg-plist _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: suspended->closed Committed, thanks.
chinsan 2009-01-04 06:21:42 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: - Document awstats -- multiple XSS vulnerabilities PR: ports/129957 Submitted by: Eygene Ryabinkin <rea-fbsd _at\ codelabs.ru> Approved by: Alex Samorukov (maintainer) Security: http://secunia.com/advisories/31519 Revision Changes Path 1.1803 +37 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Mark, good day. Sun, Jan 04, 2009 at 01:06:41AM +0000, linimon@FreeBSD.org wrote: > Synopsis: [vuxml] [patch] www/awstats: fix CVE-2008-3714 and CVE-2008-5080 > > State-Changed-From-To: feedback->suspended > State-Changed-By: linimon > State-Changed-When: Sun Jan 4 01:03:13 UTC 2009 > State-Changed-Why: > Maintainer approved, but also approved ports/130143 which contains an > update. However, that one doesn't contain the VuXML entry, so mark > this as 'suspended' to flag that. Thanks for noting this! Although the patch for CVEs was committed, it will be better to use the following patch that redoes maintainer's attempt to fix the thing and adds the correct patch. --- awstats.pl.diff begins here --- --- wwwroot/cgi-bin/awstats.pl.orig 2009-01-06 22:01:04.000000000 +0300 +++ wwwroot/cgi-bin/awstats.pl 2009-01-06 22:03:09.000000000 +0300 @@ -7521,8 +7521,8 @@ sub DecodeEncodedString { my $stringtodecode = shift; $stringtodecode =~ tr/\+/ /s; - $stringtodecode =~ s/%22//g; $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg; + $stringtodecode =~ s/["']//g; return $stringtodecode; } --- awstats.pl.diff ends here --- The committed patch is good too, but to avoid confusion and do the proper thing from the beginning, this variant will be better. On the slightly related topic: seems like awstats-devel is broken, because all sites have released version now: ----- => awstats-6.8.tar.gz doesn't seem to exist in /usr/ports/distfiles/. => Attempting to fetch from http://awstats.sourceforge.net/files/. fetch: http://awstats.sourceforge.net/files/awstats-6.8.tar.gz: size mismatch: expected 1097085, actual 1101851 => Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/. fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/awstats-6.8.tar.gz: size mismatch: expected 1097085, actual 1101851 => Couldn't fetch it - please try to retrieve this => port manually into /usr/ports/distfiles/ and try again. *** Error code 1 Stop in /usr/ports/www/awstats-devel. ----- May be it should be marked as BROKEN? The normal (non-devel) port is on the higher version now, so once someone will have time and passion to unbreak the port, he will do it. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jan 06, 2009 at 10:15:11PM +0300, Eygene Ryabinkin wrote: > Mark, good day. > > Sun, Jan 04, 2009 at 01:06:41AM +0000, linimon@FreeBSD.org wrote: > > Synopsis: [vuxml] [patch] www/awstats: fix CVE-2008-3714 and CVE-2008-5080 > > > > State-Changed-From-To: feedback->suspended > > State-Changed-By: linimon > > State-Changed-When: Sun Jan 4 01:03:13 UTC 2009 > > State-Changed-Why: > > Maintainer approved, but also approved ports/130143 which contains an > > update. However, that one doesn't contain the VuXML entry, so mark > > this as 'suspended' to flag that. > > Thanks for noting this! Although the patch for CVEs was committed, it > will be better to use the following patch that redoes maintainer's > attempt to fix the thing and adds the correct patch. > > --- awstats.pl.diff begins here --- > --- wwwroot/cgi-bin/awstats.pl.orig 2009-01-06 22:01:04.000000000 +0300 > +++ wwwroot/cgi-bin/awstats.pl 2009-01-06 22:03:09.000000000 +0300 > @@ -7521,8 +7521,8 @@ > sub DecodeEncodedString { > my $stringtodecode = shift; > $stringtodecode =~ tr/\+/ /s; > - $stringtodecode =~ s/%22//g; > $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg; > + $stringtodecode =~ s/["']//g; > return $stringtodecode; > } > > --- awstats.pl.diff ends here --- > > The committed patch is good too, but to avoid confusion and do the proper > thing from the beginning, this variant will be better. > > On the slightly related topic: seems like awstats-devel is broken, > because all sites have released version now: > ----- > => awstats-6.8.tar.gz doesn't seem to exist in /usr/ports/distfiles/. > => Attempting to fetch from http://awstats.sourceforge.net/files/. > fetch: http://awstats.sourceforge.net/files/awstats-6.8.tar.gz: size mismatch: expected 1097085, actual 1101851 > => Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/. > fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/awstats-6.8.tar.gz: size mismatch: expected 1097085, actual 1101851 > => Couldn't fetch it - please try to retrieve this > => port manually into /usr/ports/distfiles/ and try again. > *** Error code 1 > awstats-devel is marked as forbidden few days ago. > Stop in /usr/ports/www/awstats-devel. > ----- > May be it should be marked as BROKEN? The normal (non-devel) port is > on the higher version now, so once someone will have time and passion > to unbreak the port, he will do it. > -- > Eygene > _ ___ _.--. # > \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard > / ' ` , __.--' # to read the on-line manual > )/' _/ \ `-_, / # while single-stepping the kernel. > `-'" `"\_ ,_.-;_.-\_ ', fsc/as # > _.-'_./ {_.' ; / # -- FreeBSD Developers handbook > {_.-``-' {_/ # > - -- +-----------------------+-------------------------------+ | PGP : 0x05682353 | Jabber : miwi(at)BSDCrew.de | | ICQ : 169139903 | Mail : miwi(at)FreeBSD.org | +-----------------------+-------------------------------+ | Mess with the Best, Die like the Rest! | +-----------------------+-------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkljrl8ACgkQFwpycAVoI1NHhgCfYtYParwgjw3GdDEEM2CCuiPS 96cAnRpZ328zC0Uss/XEnCfIVyEYeBkg =xLlZ -----END PGP SIGNATURE-----
Martin, good day. Tue, Jan 06, 2009 at 08:17:51PM +0100, Martin Wilke wrote: > awstats-devel is marked as forbidden few days ago. Err, sorry: should check the current ports tree prior to spitting "bright ideas". -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
On Tue, Jan 06, 2009 at 10:15:11PM +0300, Eygene Ryabinkin wrote: > Thanks for noting this! Although the patch for CVEs was committed, it > will be better to use the following patch that redoes maintainer's > attempt to fix the thing and adds the correct patch. miwi, chinsan, could either of you take a look at this? Thanks. mcl
On Wed, Jan 7, 2009 at 2:11 PM, Mark Linimon <linimon@lonesome.com> wrote: > On Tue, Jan 06, 2009 at 10:15:11PM +0300, Eygene Ryabinkin wrote: >> Thanks for noting this! Although the patch for CVEs was committed, it >> will be better to use the following patch that redoes maintainer's >> attempt to fix the thing and adds the correct patch. > > miwi, chinsan, could either of you take a look at this? Thanks. > > mcl > ok, done. :)