diff -Nru awstats-7.4+dfsg/debian/changelog awstats-7.4+dfsg/debian/changelog --- awstats-7.4+dfsg/debian/changelog 2016-09-20 12:12:28.000000000 +0000 +++ awstats-7.4+dfsg/debian/changelog 2018-01-05 12:39:52.000000000 +0000 @@ -1,3 +1,14 @@ +awstats (7.4+dfsg-1ubuntu0.2) xenial-security; urgency=medium + + * SECURITY UPDATE: code execution via path traversal flaws + - debian/patches/CVE-2017-1000501-1.patch: sanitize values in + wwwroot/cgi-bin/awstats.pl. + - debian/patches/CVE-2017-1000501-2.patch: sanitize more values in + wwwroot/cgi-bin/awstats.pl. + - CVE-2017-1000501 + + -- Marc Deslauriers Fri, 05 Jan 2018 07:39:52 -0500 + awstats (7.4+dfsg-1ubuntu0.1) xenial; urgency=medium * Backport upstream patch to remove regexp syntax deprecation warnings diff -Nru awstats-7.4+dfsg/debian/patches/CVE-2017-1000501-1.patch awstats-7.4+dfsg/debian/patches/CVE-2017-1000501-1.patch --- awstats-7.4+dfsg/debian/patches/CVE-2017-1000501-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ awstats-7.4+dfsg/debian/patches/CVE-2017-1000501-1.patch 2018-01-05 12:39:43.000000000 +0000 @@ -0,0 +1,68 @@ +From cf219843a74c951bf5986f3a7fffa3dcf99c3899 Mon Sep 17 00:00:00 2001 +From: Laurent Destailleur +Date: Sun, 17 Dec 2017 12:55:48 +0100 +Subject: [PATCH] FIX Security reported by cPanel Security Team (can execute + arbitraty code) + +--- + wwwroot/cgi-bin/awstats.pl | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +Index: awstats-7.4+dfsg/wwwroot/cgi-bin/awstats.pl +=================================================================== +--- awstats-7.4+dfsg.orig/wwwroot/cgi-bin/awstats.pl 2018-01-05 07:39:40.949877884 -0500 ++++ awstats-7.4+dfsg/wwwroot/cgi-bin/awstats.pl 2018-01-05 07:39:40.949877884 -0500 +@@ -1768,7 +1768,7 @@ sub Read_Config { + }else{if ($Debug){debug("Unable to open config file: $searchdir$SiteConfig", 2);}} + } + +- #CL - Added to open config if full path is passed to awstats ++ #CL - Added to open config if full path is passed to awstats + if ( !$FileConfig ) { + + my $SiteConfigBis = File::Spec->rel2abs($SiteConfig); +@@ -2193,7 +2193,10 @@ sub Parse_Config { + } + + # Plugins +- if ( $param =~ /^LoadPlugin/ ) { push @PluginsToLoad, $value; next; } ++ if ( $param =~ /^LoadPlugin/ ) { ++ $value =~ s/[^a-zA-Z0-9_\/\.\+:=\?\s%\-]//g; # Sanitize plugin name and string param because it is used later in an eval. ++ push @PluginsToLoad, $value; next; ++ } + + # Other parameter checks we need to put after MaxNbOfExtra and MinHitExtra + if ( $param =~ /^MaxNbOf(\w+)/ ) { $MaxNbOf{$1} = $value; next; } +@@ -3234,7 +3237,7 @@ sub Read_Plugins { + } + my $ret; # To get init return + my $initfunction = +- "\$ret=Init_$pluginname('$pluginparam')"; ++ "\$ret=Init_$pluginname('$pluginparam')"; # Note that pluginname and pluginparam were sanitized when reading cong file entry 'LoadPlugin' + my $initret = eval("$initfunction"); + if ( $initret && $initret eq 'xxx' ) { + $initret = +@@ -17047,7 +17050,10 @@ if ( $ENV{'GATEWAY_INTERFACE'} ) { # + # No update but report by default when run from a browser + $UpdateStats = ( $QueryString =~ /update=1/i ? 1 : 0 ); + +- if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); } ++ if ( $QueryString =~ /config=([^&]+)/i ) { ++ $SiteConfig = &Sanitize("$1"); ++ $SiteConfig =~ s/\.\.//g; # Avoid directory transversal ++ } + if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; } + if ( $QueryString =~ /pluginmode=([^&]+)/i ) { + $PluginMode = &Sanitize( "$1", 1 ); +@@ -17134,7 +17140,10 @@ else { # Run + # Update with no report by default when run from command line + $UpdateStats = 1; + +- if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); } ++ if ( $QueryString =~ /config=([^&]+)/i ) { ++ $SiteConfig = &Sanitize("$1"); ++ $SiteConfig =~ s/\.\.//g; ++ } + if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; } + if ( $QueryString =~ /pluginmode=([^&]+)/i ) { + $PluginMode = &Sanitize( "$1", 1 ); diff -Nru awstats-7.4+dfsg/debian/patches/CVE-2017-1000501-2.patch awstats-7.4+dfsg/debian/patches/CVE-2017-1000501-2.patch --- awstats-7.4+dfsg/debian/patches/CVE-2017-1000501-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ awstats-7.4+dfsg/debian/patches/CVE-2017-1000501-2.patch 2018-01-05 12:39:49.000000000 +0000 @@ -0,0 +1,67 @@ +From 06c0ab29c1e5059d9e0279c6b64d573d619e1651 Mon Sep 17 00:00:00 2001 +From: Laurent Destailleur +Date: Wed, 27 Dec 2017 13:39:57 +0100 +Subject: [PATCH] Fix another vulnerability reported by cPanel Security Team + (can execute arbitraty code) + +--- + wwwroot/cgi-bin/awstats.pl | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +Index: awstats-7.4+dfsg/wwwroot/cgi-bin/awstats.pl +=================================================================== +--- awstats-7.4+dfsg.orig/wwwroot/cgi-bin/awstats.pl 2018-01-05 07:39:47.513872313 -0500 ++++ awstats-7.4+dfsg/wwwroot/cgi-bin/awstats.pl 2018-01-05 07:39:47.505872320 -0500 +@@ -17052,7 +17052,6 @@ if ( $ENV{'GATEWAY_INTERFACE'} ) { # + + if ( $QueryString =~ /config=([^&]+)/i ) { + $SiteConfig = &Sanitize("$1"); +- $SiteConfig =~ s/\.\.//g; # Avoid directory transversal + } + if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; } + if ( $QueryString =~ /pluginmode=([^&]+)/i ) { +@@ -17098,10 +17097,13 @@ if ( $ENV{'GATEWAY_INTERFACE'} ) { # + # If migrate + if ( $QueryString =~ /(^|-|&|&)migrate=([^&]+)/i ) { + $MigrateStats = &Sanitize("$2"); ++ + $MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/; +- $SiteConfig = $5 ? $5 : 'xxx'; ++ $SiteConfig = &Sanitize($5 ? $5 : 'xxx'); + $SiteConfig =~ s/^\.//; # SiteConfig is used to find config file + } ++ ++ $SiteConfig =~ s/\.\.//g; # Avoid directory transversal + } + else { # Run from command line + $DebugMessages = 1; +@@ -17111,9 +17113,10 @@ else { # Run + + # If migrate + if ( $ARGV[$_] =~ /(^|-|&|&)migrate=([^&]+)/i ) { +- $MigrateStats = "$2"; ++ $MigrateStats = &Sanitize("$2"); ++ + $MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/; +- $SiteConfig = $5 ? $5 : 'xxx'; ++ $SiteConfig = &Sanitize($5 ? $5 : 'xxx'); + $SiteConfig =~ s/^\.//; # SiteConfig is used to find config file + next; + } +@@ -17142,7 +17145,6 @@ else { # Run + + if ( $QueryString =~ /config=([^&]+)/i ) { + $SiteConfig = &Sanitize("$1"); +- $SiteConfig =~ s/\.\.//g; + } + if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; } + if ( $QueryString =~ /pluginmode=([^&]+)/i ) { +@@ -17208,6 +17210,8 @@ else { # Run + $ShowDirectOrigin = 1; + $QueryString =~ s/showdirectorigin[^&]*//i; + } ++ ++ $SiteConfig =~ s/\.\.//g; + } + if ( $QueryString =~ /(^|&|&)staticlinks/i ) { + $StaticLinks = "$PROG.$SiteConfig"; diff -Nru awstats-7.4+dfsg/debian/patches/series awstats-7.4+dfsg/debian/patches/series --- awstats-7.4+dfsg/debian/patches/series 2016-09-20 12:11:07.000000000 +0000 +++ awstats-7.4+dfsg/debian/patches/series 2018-01-05 12:39:46.000000000 +0000 @@ -12,3 +12,5 @@ 2007_googleplus.patch 2008_twitter.patch 2009_googlesearch.patch +CVE-2017-1000501-1.patch +CVE-2017-1000501-2.patch