Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter

Martin Schulze Fri, 12 May 2006 01:42:00 -0700

How can the diricons and config parameters be exploited?  From a quick
glance I can't find an open associated with $DirIcons.


I assume $SiteConfig leads to an open() call.

Charles Fry wrote:
> Index: awstats-6.5/wwwroot/cgi-bin/awstats.pl
> ===================================================================
> --- awstats-6.5.orig/wwwroot/cgi-bin/awstats.pl       2005-11-24 
> 15:11:19.000000000 -0500
> +++ awstats-6.5/wwwroot/cgi-bin/awstats.pl    2006-05-05 16:43:12.000000000 
> -0400
> @@ -5542,8 +5542,8 @@
>       # No update but report by default when run from a browser
>       $UpdateStats=($QueryString=~/update=1/i?1:0);
>  
> -     if ($QueryString =~ /config=([^&]+)/i)                          { 
> $SiteConfig=&DecodeEncodedString("$1"); }
> -     if ($QueryString =~ /diricons=([^&]+)/i)                        { 
> $DirIcons=&DecodeEncodedString("$1"); }
> +     if ($QueryString =~ /config=([^&]+)/i)                          { 
> $SiteConfig=&Sanitize(&DecodeEncodedString("$1")); }
> +     if ($QueryString =~ /diricons=([^&]+)/i)                        { 
> $DirIcons=&Sanitize(&DecodeEncodedString("$1")); }
>       if ($QueryString =~ /pluginmode=([^&]+)/i)                      { 
> $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
>       if ($QueryString =~ /configdir=([^&]+)/i)                       { 
> $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
>       # All filters
> @@ -5561,7 +5561,7 @@
>  
>       # If migrate
>       if ($QueryString =~ /(^|-|&|&amp;)migrate=([^&]+)/i)    {
> -             $MigrateStats=&DecodeEncodedString("$2"); 
> +             $MigrateStats=&Sanitize(&DecodeEncodedString("$2"));
>               $MigrateStats =~ 
> /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
>               $SiteConfig=$5?$5:'xxx'; $SiteConfig =~ s/^\.//;                
> # SiteConfig is used to find config file
>       }
> @@ -5591,8 +5591,8 @@
>       # Update with no report by default when run from command line
>       $UpdateStats=1;
>  
> -     if ($QueryString =~ /config=([^&]+)/i)                          { 
> $SiteConfig="$1"; }
> -     if ($QueryString =~ /diricons=([^&]+)/i)                        { 
> $DirIcons="$1"; }
> +     if ($QueryString =~ /config=([^&]+)/i)                          { 
> $SiteConfig=&Sanitize("$1"); }
> +     if ($QueryString =~ /diricons=([^&]+)/i)                        { 
> $DirIcons=&Sanitize("$1"); }
>       if ($QueryString =~ /pluginmode=([^&]+)/i)                      { 
> $PluginMode=&Sanitize("$1",1); }
>       if ($QueryString =~ /configdir=([^&]+)/i)                       { 
> $DirConfig=&Sanitize("$1"); }
>       # All filters



Regards,

        Joey


-- 
It's time to close the windows.

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter

Reply via email to