ispCP - Board - Support
AWStats Patch for [ 2001151 ] XSS Issue - Printable Version

+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: Suggestions (/forum-2.html)
+--- Thread: AWStats Patch for [ 2001151 ] XSS Issue (/thread-4064.html)



AWStats Patch for [ 2001151 ] XSS Issue - FeG - 08-19-2008 09:41 PM

Hi all,

I guess that the AWStats coming with ispCP is affected by the XSS vulnerabilty described here: http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764

If so, I'd suppose the attached patch, which is an adapted modification from this one: http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.911&view=patch

You can apply this patch by saving the given patch as /usr/lib/cgi-bin/awstats.patch and then executing:
Code:
$ cd /usr/lib/cgi-bin/
$ patch -p0 < awstats.patch
$ rm awstats.patch

Greetings
FeG

PS: On my ispCP / AWStats installation I could not get the POC running, but I'm not sure that it doesn't because Firefox does some blocks on XSS.


RE: AWStats Patch for [ 2001151 ] XSS Issue - sander2930 - 08-19-2008 09:47 PM

FeG Wrote:Hi all,

I guess that the AWStats coming with ispCP is affected by the XSS vulnerabilty described here: http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764

If so, I'd suppose the following following patch, which is an adapted modification from this one: http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.911&view=patch

Code:
--- awstats.pl    2006-11-04 22:17:24.000000000 +0100
+++ awstats.pl    2008-08-19 13:28:14.000000000 +0200
@@ -4394,6 +4394,7 @@
sub DecodeEncodedString {
    my $stringtodecode=shift;
    $stringtodecode =~ tr/\+/ /s;
+    $stringtodecode =~ s/%22//g;
    $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
    return $stringtodecode;
}
@@ -4437,8 +4438,12 @@
#------------------------------------------------------------------------------
sub CleanFromCSSA {
    my $stringtoclean=shift;
+    # To avoid html tags and javascript
    $stringtoclean =~ s/</&lt;/g;
    $stringtoclean =~ s/>/&gt;/g;
+    $stringtoclean =~ s/|//g;
+    # To avoid onload="
+    $stringtoclean =~ s/onload//g;
    return $stringtoclean;
}

You can apply this patch by writing the given text into /usr/lib/cgi-bin/awstats.patch and then executing:
Code:
$ cd /usr/lib/cgi-bin/
$ patch -p0 < awstats.patch
$ rm awstats.patch

Greetings
FeG

PS: On my ispCP / AWStats installation I could not get the POC running, but I'm not sure that it doesn't because Firefox does some blocks on XSS.

/usr/lib/cgi-bin# patch -p0 < aw.patch
patching file awstats.pl
patch: **** malformed patch at line 4: sub DecodeEncodedString {

---

debian etch
awstats 6.5+dfsg-1


RE: AWStats Patch for [ 2001151 ] XSS Issue - FeG - 08-20-2008 01:18 AM

Hi sander2930,

sander2930 Wrote:/usr/lib/cgi-bin# patch -p0 < aw.patch
patching file awstats.pl
patch: **** malformed patch at line 4: sub DecodeEncodedString {

thanks, it seems as if copying the patch out of the forum breaks it (you loose some spaces at the beginnings of the lines). So I've attached the patch to the post above.

You'll have to rename it, cause one is not allowed to upload *.patch - files.

Greetings
FeG


RE: AWStats Patch for [ 2001151 ] XSS Issue - RatS - 08-20-2008 06:13 AM

I've fixed the patch


RE: AWStats Patch for [ 2001151 ] XSS Issue - sander2930 - 08-20-2008 06:28 PM

thanks, that worked.


RE: AWStats Patch for [ 2001151 ] XSS Issue - FeG - 08-21-2008 05:48 AM

RatS Wrote:I've fixed the patch

What was wrong with my corrected one? I've tested it successfully on my installation..

Greetings
FeG


RE: AWStats Patch for [ 2001151 ] XSS Issue - khan2002 - 08-26-2008 06:29 PM

Hy,

I've tried both and both not working on my Debian :

PHP Code:
patching file awstats.pl
Hunk 
#1 succeeded at 4394 (offset 18 lines).
Hunk #2 FAILED at 4446.
1 out of 2 hunks FAILED -- saving rejects to file awstats.pl.rej 

and in the awstats.pl.rej I find:

PHP Code:
*** awstats.pl    
--- awstats.pl.orig    
***************
*** 
4376,4382 ****
  
sub DecodeEncodedString {
      
my $stringtodecode=shift;
      
$stringtodecode =~ tr/\+/ /s;
-     
$stringtodecode =~ s/%22//g;
      
$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C"hex($1))/ieg;
      return 
$stringtodecode;
  }
--- 
4376,4381 ----
***************
*** 
4429,4440 ****
  
#------------------------------------------------------------------------------
  
sub CleanXSS {
      
my $stringtoclean=shift;
-     
# To avoid html tags and javascript
      
$stringtoclean =~ s/</</g;
      
$stringtoclean =~ s/>/>/g;
      
$stringtoclean =~ s/|//g;
-     # To avoid onload="
-     $stringtoclean =~ s/onload//g;
      
return $stringtoclean;
  }
  
--- 
4428,4436 ---- 

Anyone an idea?[/php][/quote]


RE: AWStats Patch for [ 2001151 ] XSS Issue - FeG - 08-26-2008 08:06 PM

Hi khan2002,

khan2002 Wrote:I've tried both and both not working on my Debian :

...

Anyone an idea?

Do you have changed the awstats.pl file in any way or updated AWStats to a newer vesion?

Anyway, you can apply this patch by simply adding these lines (with +) to the mentioned functions in awstats.pl:

Code:
sub DecodeEncodedString {
    my $stringtodecode=shift;
    $stringtodecode =~ tr/\+/ /s;
+    $stringtodecode =~ s/%22//g;
    $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
    return $stringtodecode;
}

(DecodeEncodeString should have already been patch on your system, so the line "$stringtodecode =~ s/%22//g;" should already be there)

Code:
sub CleanFromCSSA {
    my $stringtoclean=shift;
+    # To avoid html tags and javascript
    $stringtoclean =~ s/</&lt;/g;
    $stringtoclean =~ s/>/&gt;/g;
+    $stringtoclean =~ s/|//g;
+    # To avoid onload="
+    $stringtoclean =~ s/onload//g;
    return $stringtoclean;
}

These four lines weren't been added by the patch program, so you can add them manually by editing the awstats.pl file.

Greetings
FeG


RE: AWStats Patch for [ 2001151 ] XSS Issue - khan2002 - 08-26-2008 09:40 PM

Thanks a lot!!!