AWStats Patch for [ 2001151 ] XSS Issue

[FeG]

Hi all,

I guess that the AWStats coming with ispCP is affected by the XSS vulnerabilty described here: http://sourceforge.net/tracker/index.php...tid=113764

If so, I'd suppose the attached patch, which is an adapted modification from this one: http://awstats.cvs.sourceforge.net/awsta...view=patch

You can apply this patch by saving the given patch as /usr/lib/cgi-bin/awstats.patch and then executing:

Code:

$ cd /usr/lib/cgi-bin/
$ patch -p0 < awstats.patch
$ rm awstats.patch

Greetings
FeG

PS: On my ispCP / AWStats installation I could not get the POC running, but I'm not sure that it doesn't because Firefox does some blocks on XSS.

[sander2930]

FeG Wrote:Hi all,

I guess that the AWStats coming with ispCP is affected by the XSS vulnerabilty described here: http://sourceforge.net/tracker/index.php...tid=113764

If so, I'd suppose the following following patch, which is an adapted modification from this one: http://awstats.cvs.sourceforge.net/awsta...view=patch

Code:

--- awstats.pl    2006-11-04 22:17:24.000000000 +0100
+++ awstats.pl    2008-08-19 13:28:14.000000000 +0200
@@ -4394,6 +4394,7 @@
sub DecodeEncodedString {
    my $stringtodecode=shift;
    $stringtodecode =~ tr/\+/ /s;
+    $stringtodecode =~ s/%22//g;
    $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
    return $stringtodecode;
}
@@ -4437,8 +4438,12 @@
#------------------------------------------------------------------------------
sub CleanFromCSSA {
    my $stringtoclean=shift;
+    # To avoid html tags and javascript
    $stringtoclean =~ s/</&lt;/g;
    $stringtoclean =~ s/>/&gt;/g;
+    $stringtoclean =~ s/|//g;
+    # To avoid onload="
+    $stringtoclean =~ s/onload//g;
    return $stringtoclean;
}

You can apply this patch by writing the given text into /usr/lib/cgi-bin/awstats.patch and then executing:

Code:

$ cd /usr/lib/cgi-bin/
$ patch -p0 < awstats.patch
$ rm awstats.patch

Greetings
FeG

PS: On my ispCP / AWStats installation I could not get the POC running, but I'm not sure that it doesn't because Firefox does some blocks on XSS.

/usr/lib/cgi-bin# patch -p0 < aw.patch
patching file awstats.pl
patch: **** malformed patch at line 4: sub DecodeEncodedString {

---

debian etch
awstats 6.5+dfsg-1

[FeG]

Hi sander2930,

sander2930 Wrote:/usr/lib/cgi-bin# patch -p0 < aw.patch
patching file awstats.pl
patch: **** malformed patch at line 4: sub DecodeEncodedString {

thanks, it seems as if copying the patch out of the forum breaks it (you loose some spaces at the beginnings of the lines). So I've attached the patch to the post above.

You'll have to rename it, cause one is not allowed to upload *.patch - files.

Greetings
FeG

[RatS]

I've fixed the patch

[sander2930]

thanks, that worked.

[FeG]

RatS Wrote:I've fixed the patch

What was wrong with my corrected one? I've tested it successfully on my installation..

Greetings
FeG

[khan2002]

Hy,

I've tried both and both not working on my Debian :

PHP Code:

patching file awstats.pl
Hunk #1 succeeded at 4394 (offset 18 lines).
Hunk #2 FAILED at 4446.
1 out of 2 hunks FAILED -- saving rejects to file awstats.pl.rej 


and in the awstats.pl.rej I find:

PHP Code:

*** awstats.pl    
--- awstats.pl.orig    
***************
*** 4376,4382 ****
  sub DecodeEncodedString {
      my $stringtodecode=shift;
      $stringtodecode =~ tr/\+/ /s;
-     $stringtodecode =~ s/%22//g;
      $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
      return $stringtodecode;
  }
--- 4376,4381 ----
***************
*** 4429,4440 ****
  #------------------------------------------------------------------------------
  sub CleanXSS {
      my $stringtoclean=shift;
-     # To avoid html tags and javascript
      $stringtoclean =~ s/</</g;
      $stringtoclean =~ s/>/>/g;
      $stringtoclean =~ s/|//g;
-     # To avoid onload="
-     $stringtoclean =~ s/onload//g;
      return $stringtoclean;
  }
  
--- 4428,4436 ---- 


Anyone an idea?[/php][/quote]

[FeG]

Hi khan2002,

khan2002 Wrote:I've tried both and both not working on my Debian :

...

Anyone an idea?

Do you have changed the awstats.pl file in any way or updated AWStats to a newer vesion?

Anyway, you can apply this patch by simply adding these lines (with +) to the mentioned functions in awstats.pl:

Code:

sub DecodeEncodedString {
    my $stringtodecode=shift;
    $stringtodecode =~ tr/\+/ /s;
+    $stringtodecode =~ s/%22//g;
    $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
    return $stringtodecode;
}

(DecodeEncodeString should have already been patch on your system, so the line "$stringtodecode =~ s/%22//g;" should already be there)

Code:

sub CleanFromCSSA {
    my $stringtoclean=shift;
+    # To avoid html tags and javascript
    $stringtoclean =~ s/</&lt;/g;
    $stringtoclean =~ s/>/&gt;/g;
+    $stringtoclean =~ s/|//g;
+    # To avoid onload="
+    $stringtoclean =~ s/onload//g;
    return $stringtoclean;
}

These four lines weren't been added by the patch program, so you can add them manually by editing the awstats.pl file.

Greetings
FeG

[khan2002]

Thanks a lot!!!