1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
From 06c0ab29c1e5059d9e0279c6b64d573d619e1651 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 27 Dec 2017 13:39:57 +0100
Subject: [PATCH] Fix another vulnerability reported by cPanel Security Team
(can execute arbitraty code)
---
wwwroot/cgi-bin/awstats.pl | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
index fca4900f..4f14c6ee 100755
--- a/wwwroot/cgi-bin/awstats.pl
+++ b/wwwroot/cgi-bin/awstats.pl
@@ -17145,7 +17145,6 @@ if ( $ENV{'GATEWAY_INTERFACE'} ) { # Run from a browser as CGI
if ( $QueryString =~ /config=([^&]+)/i ) {
$SiteConfig = &Sanitize("$1");
- $SiteConfig =~ s/\.\.//g; # Avoid directory transversal
}
if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
@@ -17191,10 +17190,13 @@ if ( $ENV{'GATEWAY_INTERFACE'} ) { # Run from a browser as CGI
# If migrate
if ( $QueryString =~ /(^|-|&|&)migrate=([^&]+)/i ) {
$MigrateStats = &Sanitize("$2");
+
$MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
- $SiteConfig = $5 ? $5 : 'xxx';
+ $SiteConfig = &Sanitize($5 ? $5 : 'xxx');
$SiteConfig =~ s/^\.//; # SiteConfig is used to find config file
}
+
+ $SiteConfig =~ s/\.\.//g; # Avoid directory transversal
}
else { # Run from command line
$DebugMessages = 1;
@@ -17204,9 +17206,10 @@ else { # Run from command line
# If migrate
if ( $ARGV[$_] =~ /(^|-|&|&)migrate=([^&]+)/i ) {
- $MigrateStats = "$2";
+ $MigrateStats = &Sanitize("$2");
+
$MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
- $SiteConfig = $5 ? $5 : 'xxx';
+ $SiteConfig = &Sanitize($5 ? $5 : 'xxx');
$SiteConfig =~ s/^\.//; # SiteConfig is used to find config file
next;
}
@@ -17235,7 +17238,6 @@ else { # Run from command line
if ( $QueryString =~ /config=([^&]+)/i ) {
$SiteConfig = &Sanitize("$1");
- $SiteConfig =~ s/\.\.//g;
}
if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
@@ -17301,6 +17303,8 @@ else { # Run from command line
$ShowDirectOrigin = 1;
$QueryString =~ s/showdirectorigin[^&]*//i;
}
+
+ $SiteConfig =~ s/\.\.//g;
}
if ( $QueryString =~ /(^|&|&)staticlinks/i ) {
$StaticLinks = "$PROG.$SiteConfig";
--
2.15.1
|