search

eldy / AWStats

AWStats Log Analyzer project (official sources)
https://www.awstats.org
370 stars 120 forks source link

CVE-2017-1000501 question #90

Closed Boran closed 5 years ago

Boran commented 6 years ago

See https://security-tracker.debian.org/tracker/CVE-2017-1000501. To fix this issue I upgraded to the latest release (7.4+dfsg-1ubuntu0.3) on my ubuntu 16.04.

Then I tried to open http://myserver.example.com/cgi-bin/awstats.pl?config=/etc/passwd it is still parsing /etc/passwd (even though only trying reading value pairs) and fails:

Warning: Syntax error line 1 in file '/etc/passwd'. Config line is ignored. Warning: Syntax error line 2 in file '/etc/passwd'. Config line is ignored. Warning: Syntax error line 3 in file '/etc/passwd'. Config line is ignored.

Surely it should not open absolut paths?

The problem comes from this code, around line 1773. 

    if ( !$FileConfig ) {
            my $SiteConfigBis = File::Spec->rel2abs($SiteConfig);
            debug("Finally, try to open an absolute path : $SiteConfigBis", 2);

            if ( -f $SiteConfigBis && open(CONFIG, "$SiteConfigBis")) {
                    $FileConfig = "$SiteConfigBis";
                    $FileSuffix = '';
                    if ($Debug){debug("Opened config: $SiteConfigBis", 2);}
                    $SiteConfig=$SiteConfigBis;
            }
            else {
                    if ($Debug){debug("Unable to open config file: $SiteConfigBis", 2);}
            }
    }

In my case, the server has a name, lets say foo.example.com, it also has a DNS alias myserver.example.com. However there is no config for that domain in /etc/awstats, so it fails to find a config file it then reads a config file from the parameters - and - accepts a file that has an absolute path. Sure that should not be allowed? Workaround: comment out the above code.

Question: what is the proper way to fix this?

avian2 commented 6 years ago

It seems that the previous fix was not complete. The same issue exists in current packages in Debian.

I've opened a bug report there: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891469

Another work-around until a proper fix is in place is to create an empty /etc/awstats/awstats.conf (so that the file gets opened and the if ( !$FileConfig ) fails).

eldy commented 5 years ago

I think best solution is to comment all this code, around line 1773. I made the change for awstats 7.8

Beuc commented 3 years ago

Hi. I opened #195 to reference an unfixed variant of this vulnerability.