Skip to content

Commit cf21984

Browse files
committed
FIX Security reported by cPanel Security Team (can execute arbitraty
code)
1 parent 84f6bbd commit cf21984

File tree

1 file changed

+14
-5
lines changed

1 file changed

+14
-5
lines changed

Diff for: wwwroot/cgi-bin/awstats.pl

+14-5
Original file line numberDiff line numberDiff line change
@@ -1780,7 +1780,7 @@ sub Read_Config {
17801780
}else{if ($Debug){debug("Unable to open config file: $searchdir$SiteConfig", 2);}}
17811781
}
17821782

1783-
#CL - Added to open config if full path is passed to awstats
1783+
#CL - Added to open config if full path is passed to awstats
17841784
if ( !$FileConfig ) {
17851785

17861786
my $SiteConfigBis = File::Spec->rel2abs($SiteConfig);
@@ -2205,7 +2205,10 @@ sub Parse_Config {
22052205
}
22062206

22072207
# Plugins
2208-
if ( $param =~ /^LoadPlugin/ ) { push @PluginsToLoad, $value; next; }
2208+
if ( $param =~ /^LoadPlugin/ ) {
2209+
$value =~ s/[^a-zA-Z0-9_\/\.\+:=\?\s%\-]//g; # Sanitize plugin name and string param because it is used later in an eval.
2210+
push @PluginsToLoad, $value; next;
2211+
}
22092212

22102213
# Other parameter checks we need to put after MaxNbOfExtra and MinHitExtra
22112214
if ( $param =~ /^MaxNbOf(\w+)/ ) { $MaxNbOf{$1} = $value; next; }
@@ -3251,7 +3254,7 @@ sub Read_Plugins {
32513254
}
32523255
my $ret; # To get init return
32533256
my $initfunction =
3254-
"\$ret=Init_$pluginname('$pluginparam')";
3257+
"\$ret=Init_$pluginname('$pluginparam')"; # Note that pluginname and pluginparam were sanitized when reading cong file entry 'LoadPlugin'
32553258
my $initret = eval("$initfunction");
32563259
if ( $initret && $initret eq 'xxx' ) {
32573260
$initret =
@@ -17140,7 +17143,10 @@ sub HTMLMainExtra{
1714017143
# No update but report by default when run from a browser
1714117144
$UpdateStats = ( $QueryString =~ /update=1/i ? 1 : 0 );
1714217145

17143-
if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); }
17146+
if ( $QueryString =~ /config=([^&]+)/i ) {
17147+
$SiteConfig = &Sanitize("$1");
17148+
$SiteConfig =~ s/\.\.//g; # Avoid directory transversal
17149+
}
1714417150
if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
1714517151
if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
1714617152
$PluginMode = &Sanitize( "$1", 1 );
@@ -17227,7 +17233,10 @@ sub HTMLMainExtra{
1722717233
# Update with no report by default when run from command line
1722817234
$UpdateStats = 1;
1722917235

17230-
if ( $QueryString =~ /config=([^&]+)/i ) { $SiteConfig = &Sanitize("$1"); }
17236+
if ( $QueryString =~ /config=([^&]+)/i ) {
17237+
$SiteConfig = &Sanitize("$1");
17238+
$SiteConfig =~ s/\.\.//g;
17239+
}
1723117240
if ( $QueryString =~ /diricons=([^&]+)/i ) { $DirIcons = "$1"; }
1723217241
if ( $QueryString =~ /pluginmode=([^&]+)/i ) {
1723317242
$PluginMode = &Sanitize( "$1", 1 );

0 commit comments

Comments
 (0)