Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2017-1000501 question #90

Closed
Boran opened this issue Feb 20, 2018 · 3 comments
Closed

CVE-2017-1000501 question #90

Boran opened this issue Feb 20, 2018 · 3 comments

Comments

@Boran
Copy link

Boran commented Feb 20, 2018

See https://security-tracker.debian.org/tracker/CVE-2017-1000501.
To fix this issue I upgraded to the latest release (7.4+dfsg-1ubuntu0.3) on my ubuntu 16.04.

Then I tried to open
http://myserver.example.com/cgi-bin/awstats.pl?config=/etc/passwd
it is still parsing /etc/passwd (even though only trying reading value pairs) and fails:

Warning: Syntax error line 1 in file '/etc/passwd'. Config line is ignored.
Warning: Syntax error line 2 in file '/etc/passwd'. Config line is ignored.
Warning: Syntax error line 3 in file '/etc/passwd'. Config line is ignored.

Surely it should not open absolut paths?

The problem comes from this code, around line 1773.

    if ( !$FileConfig ) {
            my $SiteConfigBis = File::Spec->rel2abs($SiteConfig);
            debug("Finally, try to open an absolute path : $SiteConfigBis", 2);

            if ( -f $SiteConfigBis && open(CONFIG, "$SiteConfigBis")) {
                    $FileConfig = "$SiteConfigBis";
                    $FileSuffix = '';
                    if ($Debug){debug("Opened config: $SiteConfigBis", 2);}
                    $SiteConfig=$SiteConfigBis;
            }
            else {
                    if ($Debug){debug("Unable to open config file: $SiteConfigBis", 2);}
            }
    }

In my case, the server has a name, lets say foo.example.com, it also has a DNS alias myserver.example.com. However there is no config for that domain in /etc/awstats, so it fails to find a config file it then reads a config file from the parameters - and - accepts a file that has an absolute path. Sure that should not be allowed?
Workaround: comment out the above code.

Question: what is the proper way to fix this?
@avian2
Copy link
Contributor

avian2 commented Feb 25, 2018
edited
Loading

It seems that the previous fix was not complete. The same issue exists in current packages in Debian.

I've opened a bug report there: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891469

Another work-around until a proper fix is in place is to create an empty /etc/awstats/awstats.conf (so that the file gets opened and the if ( !$FileConfig ) fails).

@eldy
Copy link
Owner

eldy commented Dec 17, 2018

I think best solution is to comment all this code, around line 1773.
I made the change for awstats 7.8

@eldy eldy closed this as completed in d4d815d Dec 17, 2018
@Beuc Beuc mentioned this issue Nov 21, 2020
Closed
@Beuc Beuc mentioned this issue Dec 9, 2020
Closed
@Beuc
Copy link
Contributor

Beuc commented Dec 9, 2020

Hi. I opened #195 to reference an unfixed variant of this vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Boran @eldy @Beuc @avian2