Debian Bug report logs - #495432
XSS in awstats < 6.9beta (upstream bug 2001151)

version graph

Package: awstats; Maintainer for awstats is Sergey B Kirpichev <skirpichev@gmail.com>; Source for awstats is src:awstats.

Reported by: Andreas Henriksson <andreas@fatal.se>

Date: Sun, 17 Aug 2008 11:30:01 UTC

Severity: important

Tags: patch, security

Found in versions awstats/6.5+dfsg-1, awstats/6.7.dfsg-5

Fixed in version awstats/6.7.dfsg-5.1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#495432; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Andreas Henriksson <andreas@fatal.se>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Andreas Henriksson <andreas@fatal.se>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: XSS in awstats < 6.9beta (upstream bug 2001151)
Date: Sun, 17 Aug 2008 13:32:32 +0200
[Message part 1 (text/plain, inline)]
Package: awstats
Version: 6.5+dfsg-1
Severity: grave
Tags: security patch
Justification: user security hole


>From http://sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764

There is a Cross Site Scripting Issue when the action attribute is output
for the form tag. Please see this PoC:
	http://www.example.com/awstats/awstats.pl?config=www.example.com&%22onload=%22alert(document.domain)//

This seems to affect any version below 6.9 beta.

I believe this is the fix:
http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.911
[xxx_awstats69_rss_2001151.diff (text/plain, attachment)]

Severity set to `important' from `grave' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sun, 17 Aug 2008 11:42:02 GMT) Full text and rfc822 format available.

Reply sent to Andreas Henriksson <andreas@fatal.se>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Andreas Henriksson <andreas@fatal.se>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at 495432-close@bugs.debian.org (full text, mbox):

From: Andreas Henriksson <andreas@fatal.se>
To: 495432-close@bugs.debian.org
Subject: Bug#495432: fixed in awstats 6.7.dfsg-5
Date: Sun, 17 Aug 2008 12:17:03 +0000
Source: awstats
Source-Version: 6.7.dfsg-5

We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:

awstats_6.7.dfsg-5.diff.gz
  to pool/main/a/awstats/awstats_6.7.dfsg-5.diff.gz
awstats_6.7.dfsg-5.dsc
  to pool/main/a/awstats/awstats_6.7.dfsg-5.dsc
awstats_6.7.dfsg-5_all.deb
  to pool/main/a/awstats/awstats_6.7.dfsg-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 495432@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Henriksson <andreas@fatal.se> (supplier of updated awstats package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 17 Aug 2008 13:54:04 +0200
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.7.dfsg-5
Distribution: unstable
Urgency: low
Maintainer: Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
Changed-By: Andreas Henriksson <andreas@fatal.se>
Description: 
 awstats    - powerful and featureful web server log analyzer
Closes: 495432
Changes: 
 awstats (6.7.dfsg-5) unstable; urgency=low
 .
   * Add debian/patches/0001_awstats69beta_xss.patch,
     upstream security fix from 6.9 beta to fix XSS.
     (Closes: #495432, upstream bug 2001151)
Checksums-Sha1: 
 46f0dfda44eea3bbe7306ef2129dac5ac6dfaa67 1372 awstats_6.7.dfsg-5.dsc
 4b2ff7bf7c1ae22d049631680461ef4243830ac5 28764 awstats_6.7.dfsg-5.diff.gz
 a2cc76e1e2a605e48ea72a440e4d86ee32f041c6 917646 awstats_6.7.dfsg-5_all.deb
Checksums-Sha256: 
 ee0c20d08282db402edd2dcf912785ac9d144a413744756ee8026b63690e22f7 1372 awstats_6.7.dfsg-5.dsc
 09888944577a151b961a0ff777dd9d77c800941006b8c4dc298159744bb50bdf 28764 awstats_6.7.dfsg-5.diff.gz
 5cc00eb987bbbccaf60b84078d6bab9253158ea9f33b699c688dedf21e385550 917646 awstats_6.7.dfsg-5_all.deb
Files: 
 5b40ef1502f0cd85c120da9789ac4b38 1372 web optional awstats_6.7.dfsg-5.dsc
 77f1a98dd26057bb86fd0a716bdca004 28764 web optional awstats_6.7.dfsg-5.diff.gz
 8c42de959b150943ef254b2294af0c03 917646 web optional awstats_6.7.dfsg-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkioFPMACgkQcgQ2cL3l8e6/2wCdF1BXTvHHEoYlFsLeN9jZ+bTs
JDsAoLw6jS6JjuXZIhCXEwLradZXQdAr
=1zv6
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 26 Sep 2008 07:28:46 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Wed, 03 Dec 2008 10:51:01 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#495432; Package awstats. (Wed, 03 Dec 2008 11:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. (Wed, 03 Dec 2008 11:18:02 GMT) Full text and rfc822 format available.

Message #21 received at 495432@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 495432@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Patch is not affective
Date: Wed, 03 Dec 2008 12:16:42 +0100
found 495432 6.7.dfsg-5
thanks

Please use the following patch instead.  (The "onload=" part does not
harm, but it's easy to circumvent and therefore unnecessary.)

I tried to notify upstream, but the Sourceforge account bounces.  If
you have got a better contact, please forward this piece of
information.

diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
index 8194462..f96ac63 100755
--- a/wwwroot/cgi-bin/awstats.pl
+++ b/wwwroot/cgi-bin/awstats.pl
@@ -4395,6 +4395,7 @@ sub DecodeEncodedString {
 	my $stringtodecode=shift;
 	$stringtodecode =~ tr/\+/ /s;
 	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
+	$stringtodecode =~ s/["']//g;
 	return $stringtodecode;
 }
 




Bug marked as found in version 6.7.dfsg-5 and reopened. Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Wed, 03 Dec 2008 11:18:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#495432; Package awstats. (Tue, 09 Dec 2008 21:48:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Henriksson <andreas@fatal.se>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. (Tue, 09 Dec 2008 21:48:06 GMT) Full text and rfc822 format available.

Message #28 received at 495432@bugs.debian.org (full text, mbox):

From: Andreas Henriksson <andreas@fatal.se>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 495432 <495432@bugs.debian.org>
Subject: Re: [Pkg-awstats-devel] Bug#495432: Patch is not affective
Date: Tue, 09 Dec 2008 22:51:09 +0100
Hello Florian!

Thanks for looking at this problem!

On ons, 2008-12-03 at 12:16 +0100, Florian Weimer wrote:
> Please use the following patch instead.  (The "onload=" part does not
> harm, but it's easy to circumvent and therefore unnecessary.)

I couldn't see it do any harm, so I had no reason to deviate from
upstreams changes.

> 
> I tried to notify upstream, but the Sourceforge account bounces.  If
> you have got a better contact, please forward this piece of
> information.
> 

I'm the latest sucker to join the awstats maintainance and haven't yet
established any contact with upstream. It's on my todo, but motivation
is a bit lacking unfortunately. Sorry.

> diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
> index 8194462..f96ac63 100755
> --- a/wwwroot/cgi-bin/awstats.pl
> +++ b/wwwroot/cgi-bin/awstats.pl
> @@ -4395,6 +4395,7 @@ sub DecodeEncodedString {
>  	my $stringtodecode=shift;
>  	$stringtodecode =~ tr/\+/ /s;
>  	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
> +	$stringtodecode =~ s/["']//g;
>  	return $stringtodecode;
>  }
>  

To sum it up and make sure I've understood this correctly. The problem
with the previous patch is that it only handles " (%22) while yours
takes care of both " and ', right?

I'll try to fix this up for Unstable (and later get a freeze exception
for Testing). Thanks for taking care of Stable.

-- 
Regards,
Andreas Henriksson




Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#495432; Package awstats. (Wed, 10 Dec 2008 12:24:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. (Wed, 10 Dec 2008 12:24:07 GMT) Full text and rfc822 format available.

Message #33 received at 495432@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 495432@bugs.debian.org
Subject: intent to NMU
Date: Wed, 10 Dec 2008 13:19:26 +0100
[Message part 1 (text/plain, inline)]
Hi,
Hendrik, the problem is that the patch decodes %%2222 to %22 
and then back to ".

I will upload Florians patch in an NMU. debdiff attached.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[awstats-6.7.dfsg-5_6.7.dfsg-5.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#495432; Package awstats. (Wed, 10 Dec 2008 13:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Henriksson <andreas@fatal.se>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. (Wed, 10 Dec 2008 13:03:03 GMT) Full text and rfc822 format available.

Message #38 received at 495432@bugs.debian.org (full text, mbox):

From: Andreas Henriksson <andreas@fatal.se>
To: Nico Golde <nion@debian.org>, 495432@bugs.debian.org
Subject: Re: [Pkg-awstats-devel] Bug#495432: intent to NMU
Date: Wed, 10 Dec 2008 14:01:25 +0100
On ons, 2008-12-10 at 13:19 +0100, Nico Golde wrote:
> I will upload Florians patch in an NMU. debdiff attached.

Thanks for stepping in. My upload was REJECTED. (I don't quite
understand why, so I used the option in the reject mail to ask for help
on the reason.)

-- 
Regards,
Andreas Henriksson




Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Wed, 10 Dec 2008 13:18:13 GMT) Full text and rfc822 format available.

Notification sent to Andreas Henriksson <andreas@fatal.se>:
Bug acknowledged by developer. (Wed, 10 Dec 2008 13:18:13 GMT) Full text and rfc822 format available.

Message #43 received at 495432-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 495432-close@bugs.debian.org
Subject: Bug#495432: fixed in awstats 6.7.dfsg-5.1
Date: Wed, 10 Dec 2008 12:47:03 +0000
Source: awstats
Source-Version: 6.7.dfsg-5.1

We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:

awstats_6.7.dfsg-5.1.diff.gz
  to pool/main/a/awstats/awstats_6.7.dfsg-5.1.diff.gz
awstats_6.7.dfsg-5.1.dsc
  to pool/main/a/awstats/awstats_6.7.dfsg-5.1.dsc
awstats_6.7.dfsg-5.1_all.deb
  to pool/main/a/awstats/awstats_6.7.dfsg-5.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 495432@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated awstats package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 10 Dec 2008 13:05:43 +0100
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.7.dfsg-5.1
Distribution: unstable
Urgency: high
Maintainer: Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 awstats    - powerful and featureful web server log analyzer
Closes: 495432
Changes: 
 awstats (6.7.dfsg-5.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Strip '"' characters during URL decoding, fixing a cross-site
     scripting attack (CVE-2008-3714; CVE-2008-5080; Closes: #495432).
Checksums-Sha1: 
 c4ed7c46c73efd41d78f30af8be391ba8f34bab8 1380 awstats_6.7.dfsg-5.1.dsc
 b449df588b5615fd33a6e44620d4c656975be0e1 29130 awstats_6.7.dfsg-5.1.diff.gz
 071e21994b92e52a1e8f6ad7a99760d3752e2d26 918204 awstats_6.7.dfsg-5.1_all.deb
Checksums-Sha256: 
 05c73c405a42a2646955445e3550aba1d4903c2e0d255ab7305d44cef8394940 1380 awstats_6.7.dfsg-5.1.dsc
 d31732f16cd6ae98e598f1b4c39ca167c91a94687cd61d58ee95aa9d14f61e51 29130 awstats_6.7.dfsg-5.1.diff.gz
 1bb58502d311f4cd64a100f7166778f953acd77aa0d04ccbc5ba5ad53fa76f4f 918204 awstats_6.7.dfsg-5.1_all.deb
Files: 
 fd609d2b3421f32c316f0e3927960050 1380 web optional awstats_6.7.dfsg-5.1.dsc
 e5e95b705a8208eeccdd1388c368301f 29130 web optional awstats_6.7.dfsg-5.1.diff.gz
 087a9ed792c8f63afc7e18df0e0d4987 918204 web optional awstats_6.7.dfsg-5.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkk/s8EACgkQHYflSXNkfP8pawCfVppoTuaEoEVdIDxQauxMc90X
GCYAoI/FdH5X4U+DNYhUIscRrmlIOzr4
=89Xg
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#495432; Package awstats. (Wed, 10 Dec 2008 13:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonas Smedegaard <dr@jones.dk>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. (Wed, 10 Dec 2008 13:33:02 GMT) Full text and rfc822 format available.

Message #48 received at 495432@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: Andreas Henriksson <andreas@fatal.se>, 495432@bugs.debian.org
Cc: Nico Golde <nion@debian.org>
Subject: Re: [Pkg-awstats-devel] Bug#495432: Bug#495432: intent to NMU
Date: Wed, 10 Dec 2008 14:30:46 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Dec 10, 2008 at 02:01:25PM +0100, Andreas Henriksson wrote:
>On ons, 2008-12-10 at 13:19 +0100, Nico Golde wrote:
>> I will upload Florians patch in an NMU. debdiff attached.
>
>Thanks for stepping in. My upload was REJECTED. (I don't quite 
>understand why, so I used the option in the reject mail to ask for help 
>on the reason.)

I don't understand either why your tarball didn't match upstream.

It might be related to my errors in the past of improper use of 
pristine-tar, leading to non-virgin tarballs being uploaded. But exactly 
how that could lead to current problem I don't know.

Another problem is that your posts to our mailinglists got rejected. And 
it seems I've lost my admin password to that list. I am working on that!


  - Jonas

- -- 
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

    [x] quote me freely  [ ] ask before reusing  [ ] keep private
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkk/xIYACgkQn7DbMsAkQLiFsACfXlHjNRISOPgabYfzp+FBv1/u
kWMAnR5JJqgWgOzfGG+h5euVDQeprMCw
=suVL
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 10 Jan 2009 07:28:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:49:47 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.