Date: Fri, 26 Dec 2008 19:08:42 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/129957: [vuxml] [patch] www/awstats: fix CVE-2008-3714 and CVE-2008-5080 Message-ID: <20081226160842.899D81711E@shadow.codelabs.ru> Resent-Message-ID: <200812261610.mBQGA18E052248@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129957 >Category: ports >Synopsis: [vuxml] [patch] www/awstats: fix CVE-2008-3714 and CVE-2008-5080 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 26 16:10:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: >From CVE-2008-3714: ----- Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string. ----- >How-To-Repeat: Look at the following documents: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3714 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432 >Fix: The following patch adds fix obtained from Debian: --- fix-XSS-CVE-2008-3714-and-CVE-2008-508.diff begins here --- >From 33fb2589f0e4764ffda167ec58c40fe78d00e424 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Fri, 26 Dec 2008 18:56:37 +0300 Add Debian fix for the CVE-2008-3714. CVE-2008-5080 and Debian bugreport explains why the upstream fix was very incomplete. Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- www/awstats/Makefile | 2 +- www/awstats/files/patch-CVE-2008-3714 | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletions(-) create mode 100644 www/awstats/files/patch-CVE-2008-3714 diff --git a/www/awstats/Makefile b/www/awstats/Makefile index 45aa0cd..6b0b997 100644 --- a/www/awstats/Makefile +++ b/www/awstats/Makefile @@ -7,7 +7,7 @@ PORTNAME= awstats PORTVERSION= 6.8 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= www MASTER_SITES= SF diff --git a/www/awstats/files/patch-CVE-2008-3714 b/www/awstats/files/patch-CVE-2008-3714 new file mode 100644 index 0000000..0eacb5e --- /dev/null +++ b/www/awstats/files/patch-CVE-2008-3714 @@ -0,0 +1,20 @@ +Fixes XSS in awstats.pl: CVE-2008-3714 + +Please, note that the upstream fix, + http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.911 +is incomplete and can be easily curcumvented, + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5080 + +Obtained from: Debian, http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=33;filename=awstats-6.7.dfsg-5_6.7.dfsg-5.1.patch;att=1;bug=495432 +See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432 + +--- wwwroot/cgi-bin/awstats.pl.orig 2008-12-26 18:45:31.000000000 +0300 ++++ wwwroot/cgi-bin/awstats.pl 2008-12-26 18:46:40.000000000 +0300 +@@ -4407,6 +4407,7 @@ + my $stringtodecode=shift; + $stringtodecode =~ tr/\+/ /s; + $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg; ++ $stringtodecode =~ s/["']//g; + return $stringtodecode; + } + -- 1.6.0.6 --- fix-XSS-CVE-2008-3714-and-CVE-2008-508.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="27d78386-d35f-11dd-b800-001b77d09812"> <topic>awstats -- multiple XSS vulnerabilities</topic> <affects> <package> <name>awstats</name> <range><lt>6.8_2,1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Secunia reports:</p> <blockquote cite="http://secunia.com/advisories/31519">; <p>Morgan Todd has discovered a vulnerability in AWStats, which can be exploited by malicious people to conduct cross-site scripting attacks.</p> <p>Input passed in the URL to awstats.pl is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.</p> <p>Successful exploitation requires that the application is running as a CGI script.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-3714</cvename> <cvename>CVE-2008-5080</cvename> <url>http://secunia.com/advisories/31519</url>; <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432</url>; </references> <dates> <discovery>03-12-2008</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081226160842.899D81711E>