Closed Boran closed 5 years ago
It seems that the previous fix was not complete. The same issue exists in current packages in Debian.
I've opened a bug report there: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891469
Another work-around until a proper fix is in place is to create an empty /etc/awstats/awstats.conf
(so that the file gets opened and the if ( !$FileConfig )
fails).
I think best solution is to comment all this code, around line 1773. I made the change for awstats 7.8
Hi. I opened #195 to reference an unfixed variant of this vulnerability.
See https://security-tracker.debian.org/tracker/CVE-2017-1000501. To fix this issue I upgraded to the latest release (7.4+dfsg-1ubuntu0.3) on my ubuntu 16.04.
Then I tried to open http://myserver.example.com/cgi-bin/awstats.pl?config=/etc/passwd it is still parsing /etc/passwd (even though only trying reading value pairs) and fails:
Surely it should not open absolut paths?
The problem comes from this code, around line 1773.
In my case, the server has a name, lets say foo.example.com, it also has a DNS alias myserver.example.com. However there is no config for that domain in /etc/awstats, so it fails to find a config file it then reads a config file from the parameters - and - accepts a file that has an absolute path. Sure that should not be allowed? Workaround: comment out the above code.
Question: what is the proper way to fix this?