From e761ac4e7f3a3e6a16a06a2c6be7a88296ca3c84 Mon Sep 17 00:00:00 2001 From: minskim Date: Sun, 5 Feb 2012 23:58:07 +0000 Subject: Fix XSS vulnerabilities in awstats. Patch from awstat's CVS repo. --- www/awstats/Makefile | 4 +- www/awstats/distinfo | 3 +- .../patches/patch-wwwroot_cgi-bin_awredir.pl | 47 ++++++++++++++++++++++ 3 files changed, 51 insertions(+), 3 deletions(-) create mode 100644 www/awstats/patches/patch-wwwroot_cgi-bin_awredir.pl (limited to 'www') diff --git a/www/awstats/Makefile b/www/awstats/Makefile index e18b7fd9c8f..f061e47bc0b 100644 --- a/www/awstats/Makefile +++ b/www/awstats/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.45 2011/05/30 09:31:25 hauke Exp $ +# $NetBSD: Makefile,v 1.46 2012/02/05 23:58:07 minskim Exp $ DISTNAME= awstats-7.0 -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=awstats/} diff --git a/www/awstats/distinfo b/www/awstats/distinfo index 983366d4421..4b872f521f8 100644 --- a/www/awstats/distinfo +++ b/www/awstats/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.28 2011/05/30 09:32:41 hauke Exp $ +$NetBSD: distinfo,v 1.29 2012/02/05 23:58:07 minskim Exp $ SHA1 (awstats-7.0/awstats-7.0.tar.gz) = 733fa7d6a540f4a54f52c69a5f271c789472b0b7 RMD160 (awstats-7.0/awstats-7.0.tar.gz) = 0bd46afbd3159cf5f3e517b37a43b7d0852fc2a3 @@ -6,3 +6,4 @@ Size (awstats-7.0/awstats-7.0.tar.gz) = 1254327 bytes SHA1 (patch-aa) = 77505c9894b0be638d748c506feb93e065a3318f SHA1 (patch-ab) = 9ae474058a1803c1132b36448c1a6987c58e8823 SHA1 (patch-ad) = 9c08fff3fcc3871a08c73c9509fbeb5baca06c09 +SHA1 (patch-wwwroot_cgi-bin_awredir.pl) = 3e3a41ab4bfbe633f78af182f5d2692bd678595d diff --git a/www/awstats/patches/patch-wwwroot_cgi-bin_awredir.pl b/www/awstats/patches/patch-wwwroot_cgi-bin_awredir.pl new file mode 100644 index 00000000000..0ada11d3fd8 --- /dev/null +++ b/www/awstats/patches/patch-wwwroot_cgi-bin_awredir.pl @@ -0,0 +1,47 @@ +$NetBSD: patch-wwwroot_cgi-bin_awredir.pl,v 1.1 2012/02/05 23:58:07 minskim Exp $ + +Security fix for http://secunia.com/advisories/46160/ + +--- wwwroot/cgi-bin/awredir.pl.orig 2009-01-03 10:42:04.000000000 +0000 ++++ wwwroot/cgi-bin/awredir.pl +@@ -73,6 +73,27 @@ sub DecodeEncodedString { + return $stringtodecode; + } + ++#------------------------------------------------------------------------------ ++# Function: Clean a string of HTML tags to avoid 'Cross Site Scripting attacks' ++# and clean | char. ++# Parameters: stringtoclean ++# Input: None ++# Output: None ++# Return: cleanedstring ++#------------------------------------------------------------------------------ ++sub CleanXSS { ++ my $stringtoclean = shift; ++ ++ # To avoid html tags and javascript ++ $stringtoclean =~ s//>/g; ++ $stringtoclean =~ s/|//g; ++ ++ # To avoid onload=" ++ $stringtoclean =~ s/onload//g; ++ return $stringtoclean; ++} ++ + + #------------------------------------------------------- + # MAIN +@@ -124,6 +145,12 @@ elsif ($Url =~ /url=(.+)$/) { $Url=$1; } + $Url = DecodeEncodedString($Url); + $UrlParam=$Url; + ++# Sanitize parameters ++$Tag=CleanXSS($Tag); ++$Key=CleanXSS($Key); ++$UrlParam=CleanXSS($UrlParam); ++ ++ + if (! $UrlParam) { + error("Error: Bad use of $PROG. To redirect an URL with $PROG, use the following syntax:
/cgi-bin/$PROG.pl?url=http://urltogo"); + } -- cgit v1.2.3