AWStats Patch for [ 2001151 ] XSS Issue - Printable Version +- ispCP - Board - Support (http://www.isp-control.net/forum) +-- Forum: ispCP Omega Development Area (/forum-1.html) +--- Forum: Suggestions (/forum-2.html) +--- Thread: AWStats Patch for [ 2001151 ] XSS Issue (/thread-4064.html) |
AWStats Patch for [ 2001151 ] XSS Issue - FeG - 08-19-2008 09:41 PM Hi all, I guess that the AWStats coming with ispCP is affected by the XSS vulnerabilty described here: http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764 If so, I'd suppose the attached patch, which is an adapted modification from this one: http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.911&view=patch You can apply this patch by saving the given patch as /usr/lib/cgi-bin/awstats.patch and then executing: Code: $ cd /usr/lib/cgi-bin/ Greetings FeG PS: On my ispCP / AWStats installation I could not get the POC running, but I'm not sure that it doesn't because Firefox does some blocks on XSS. RE: AWStats Patch for [ 2001151 ] XSS Issue - sander2930 - 08-19-2008 09:47 PM FeG Wrote:Hi all, /usr/lib/cgi-bin# patch -p0 < aw.patch patching file awstats.pl patch: **** malformed patch at line 4: sub DecodeEncodedString { --- debian etch awstats 6.5+dfsg-1 RE: AWStats Patch for [ 2001151 ] XSS Issue - FeG - 08-20-2008 01:18 AM Hi sander2930, sander2930 Wrote:/usr/lib/cgi-bin# patch -p0 < aw.patch thanks, it seems as if copying the patch out of the forum breaks it (you loose some spaces at the beginnings of the lines). So I've attached the patch to the post above. You'll have to rename it, cause one is not allowed to upload *.patch - files. Greetings FeG RE: AWStats Patch for [ 2001151 ] XSS Issue - RatS - 08-20-2008 06:13 AM I've fixed the patch RE: AWStats Patch for [ 2001151 ] XSS Issue - sander2930 - 08-20-2008 06:28 PM thanks, that worked. RE: AWStats Patch for [ 2001151 ] XSS Issue - FeG - 08-21-2008 05:48 AM RatS Wrote:I've fixed the patch What was wrong with my corrected one? I've tested it successfully on my installation.. Greetings FeG RE: AWStats Patch for [ 2001151 ] XSS Issue - khan2002 - 08-26-2008 06:29 PM Hy, I've tried both and both not working on my Debian : PHP Code: patching file awstats.pl and in the awstats.pl.rej I find: PHP Code: *** awstats.pl Anyone an idea?[/php][/quote] RE: AWStats Patch for [ 2001151 ] XSS Issue - FeG - 08-26-2008 08:06 PM Hi khan2002, khan2002 Wrote:I've tried both and both not working on my Debian : Do you have changed the awstats.pl file in any way or updated AWStats to a newer vesion? Anyway, you can apply this patch by simply adding these lines (with +) to the mentioned functions in awstats.pl: Code: sub DecodeEncodedString { (DecodeEncodeString should have already been patch on your system, so the line "$stringtodecode =~ s/%22//g;" should already be there) Code: sub CleanFromCSSA { These four lines weren't been added by the patch program, so you can add them manually by editing the awstats.pl file. Greetings FeG RE: AWStats Patch for [ 2001151 ] XSS Issue - khan2002 - 08-26-2008 09:40 PM Thanks a lot!!! |