ports/129957: [vuxml] [patch] www/awstats: fix CVE-2008-3714 and CVE-2008-5080

Eygene Ryabinkin rea-fbsd at codelabs.ru
Fri Dec 26 16:10:02 UTC 2008 

>Number:         129957
>Category:       ports
>Synopsis:       [vuxml] [patch] www/awstats: fix CVE-2008-3714 and CVE-2008-5080
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec 26 16:10:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE amd64

>Description:

>From CVE-2008-3714:
-----
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8
allows remote attackers to inject arbitrary web script or HTML via the
query_string.
-----

>How-To-Repeat:

Look at the following documents:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3714
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432

>Fix:

The following patch adds fix obtained from Debian:
--- fix-XSS-CVE-2008-3714-and-CVE-2008-508.diff begins here ---
>From 33fb2589f0e4764ffda167ec58c40fe78d00e424 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Fri, 26 Dec 2008 18:56:37 +0300

Add Debian fix for the CVE-2008-3714.  CVE-2008-5080 and Debian
bugreport explains why the upstream fix was very incomplete.

Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
 www/awstats/Makefile                  |    2 +-
 www/awstats/files/patch-CVE-2008-3714 |   20 ++++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletions(-)
 create mode 100644 www/awstats/files/patch-CVE-2008-3714

diff --git a/www/awstats/Makefile b/www/awstats/Makefile
index 45aa0cd..6b0b997 100644
--- a/www/awstats/Makefile
+++ b/www/awstats/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	awstats
 PORTVERSION=	6.8
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	www
 MASTER_SITES=	SF
diff --git a/www/awstats/files/patch-CVE-2008-3714 b/www/awstats/files/patch-CVE-2008-3714
new file mode 100644
index 0000000..0eacb5e
--- /dev/null
+++ b/www/awstats/files/patch-CVE-2008-3714
@@ -0,0 +1,20 @@
+Fixes XSS in awstats.pl: CVE-2008-3714
+
+Please, note that the upstream fix,
+  http://awstats.cvs.sourceforge.net/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.910&r2=1.911
+is incomplete and can be easily curcumvented,
+  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5080
+
+Obtained from: Debian, http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=33;filename=awstats-6.7.dfsg-5_6.7.dfsg-5.1.patch;att=1;bug=495432
+See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432
+
+--- wwwroot/cgi-bin/awstats.pl.orig	2008-12-26 18:45:31.000000000 +0300
++++ wwwroot/cgi-bin/awstats.pl	2008-12-26 18:46:40.000000000 +0300
+@@ -4407,6 +4407,7 @@
+ 	my $stringtodecode=shift;
+ 	$stringtodecode =~ tr/\+/ /s;
+ 	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
++	$stringtodecode =~ s/["']//g;
+ 	return $stringtodecode;
+ }
+ 
-- 
1.6.0.6
--- fix-XSS-CVE-2008-3714-and-CVE-2008-508.diff ends here ---

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="27d78386-d35f-11dd-b800-001b77d09812">
    <topic>awstats -- multiple XSS vulnerabilities</topic>
    <affects>
      <package>
        <name>awstats</name>
        <range><lt>6.8_2,1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Secunia reports:</p>
        <blockquote
          cite="http://secunia.com/advisories/31519">
          <p>Morgan Todd has discovered a vulnerability in AWStats,
          which can be exploited by malicious people to conduct
          cross-site scripting attacks.</p>
          <p>Input passed in the URL to awstats.pl is not properly
          sanitised before being returned to the user. This can be
          exploited to execute arbitrary HTML and script code in a
          user's browser session in context of an affected site.</p>
          <p>Successful exploitation requires that the application is
          running as a CGI script.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-3714</cvename>
      <cvename>CVE-2008-5080</cvename>
      <url>http://secunia.com/advisories/31519</url>
      <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432</url>
    </references>
    <dates>
      <discovery>03-12-2008</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list