diff options
Diffstat (limited to 'network/awstats/patches/0001-FIX-Security-reported-by-cPanel-Security-Team-can-ex.patch')
-rw-r--r-- | network/awstats/patches/0001-FIX-Security-reported-by-cPanel-Security-Team-can-ex.patch | 71 |
1 files changed, 0 insertions, 71 deletions
diff --git a/network/awstats/patches/0001-FIX-Security-reported-by-cPanel-Security-Team-can-ex.patch b/network/awstats/patches/0001-FIX-Security-reported-by-cPanel-Security-Team-can-ex.patch deleted file mode 100644 index 1233b642e6..0000000000 --- a/network/awstats/patches/0001-FIX-Security-reported-by-cPanel-Security-Team-can-ex.patch +++ /dev/null @@ -1,71 +0,0 @@ -From cf219843a74c951bf5986f3a7fffa3dcf99c3899 Mon Sep 17 00:00:00 2001 -From: Laurent Destailleur <eldy@destailleur.fr> -Date: Sun, 17 Dec 2017 12:55:48 +0100 -Subject: [PATCH] FIX Security reported by cPanel Security Team (can execute - arbitraty code) - ---- - wwwroot/cgi-bin/awstats.pl | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl -index 091d6823..fca4900f 100755 ---- a/wwwroot/cgi-bin/awstats.pl -+++ b/wwwroot/cgi-bin/awstats.pl -@@ -1780,7 +1780,7 @@ sub Read_Config { - }else{if ($Debug){debug("Unable to open config file: $searchdir$SiteConfig", 2);}} - } - -- #CL - Added to open config if full path is passed to awstats -+ #CL - Added to open config if full path is passed to awstats - if ( !$FileConfig ) { - - my $SiteConfigBis = File::Spec->rel2abs($SiteConfig); -@@ -2205,7 +2205,10 @@ sub Parse_Config { - } - - # Plugins -- if ( $param =~ /^LoadPlugin/ ) { push @PluginsToLoad, $value; next; } -+ if ( $param =~ /^LoadPlugin/ ) { -+ $value =~ s/[^a-zA-Z0-9_\/\.\+:=\?\s%\-]//g; # Sanitize plugin name and string param because it is used later in an eval. -+ push @PluginsToLoad, $value; next; -+ } - - # Other parameter checks we need to put after MaxNbOfExtra and MinHitExtra - if ( $param =~ /^MaxNbOf(\w+)/ ) { $MaxNbOf{$1} = $value; next; } -@@ -3251,7 +3254,7 @@ sub Read_Plugins { - } - my $ret; # To get init return - my $initfunction = -- "\$ret=Init_$pluginname('$pluginparam')"; -+ "\$ret=Init_$pluginname('$pluginparam')"; # Note that pluginname and pluginparam were sanitized when reading cong file entry 'LoadPlugin' - my $initret = eval("$initfunction"); - if ( $initret && $initret eq 'xxx' ) { - $initret = -@@ -17140,7 +17143,10 @@ if ( $ENV{'GATEWAY_INTERFACE'} ) { # Run from a browser as CGI - # No update but report by default when run from a browser - $UpdateStats = ( $QueryString =~ /update=1/i ? 1 : 0 ); - -- if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); } -+ if ( $QueryString =~ /config=([^&]+)/i ) { -+ $SiteConfig = &Sanitize("$1"); -+ $SiteConfig =~ s/\.\.//g; # Avoid directory transversal -+ } - if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; } - if ( $QueryString =~ /pluginmode=([^&]+)/i ) { - $PluginMode = &Sanitize( "$1", 1 ); -@@ -17227,7 +17233,10 @@ else { # Run from command line - # Update with no report by default when run from command line - $UpdateStats = 1; - -- if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); } -+ if ( $QueryString =~ /config=([^&]+)/i ) { -+ $SiteConfig = &Sanitize("$1"); -+ $SiteConfig =~ s/\.\.//g; -+ } - if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; } - if ( $QueryString =~ /pluginmode=([^&]+)/i ) { - $PluginMode = &Sanitize( "$1", 1 ); --- -2.15.1 - |