Skip to content
Snippets Groups Projects
Commit 1eeaa108 authored by alice's avatar alice
Browse files

main/awstats: fix CVE-2022-46391

parent 10e6be13
No related branches found
No related tags found
No related merge requests found
......@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=awstats
pkgver=7.8
pkgrel=2
pkgrel=3
pkgdesc="Free real-time logfile analyzer to get advanced statistics"
url="https://awstats.sourceforge.net/"
arch="noarch"
......@@ -11,9 +11,13 @@ depends="perl perl-uri"
subpackages="$pkgname-doc"
options="!check" # no testsuite
source="https://prdownloads.sourceforge.net/awstats/awstats-$pkgver.tar.gz
CVE-2020-35176.patch"
CVE-2020-35176.patch
CVE-2022-46391.patch
"
# secfixes:
# 7.8-r3:
# - CVE-2022-46391
# 7.8-r1:
# - CVE-2020-35176
# 7.6-r2:
......@@ -60,5 +64,8 @@ package() {
"$pkgdir"/usr/lib/$pkgname/cgi-bin/plugins/example
}
sha512sums="b532f74a8b420841b1ae7eea73fd341049925af01688a06114f53807c14c6a4edc4ca4f671b2b9c1aee8024ba25ccf69b6eae391250e5722d2fd719de4cf87e2 awstats-7.8.tar.gz
d012866662206ffba9f84af437824324bf402a49ecb67161833b3f9593ccd4327db4b465d305c3ca78e5b29917acd469760faac6f7678055d4de01621f689c63 CVE-2020-35176.patch"
sha512sums="
b532f74a8b420841b1ae7eea73fd341049925af01688a06114f53807c14c6a4edc4ca4f671b2b9c1aee8024ba25ccf69b6eae391250e5722d2fd719de4cf87e2 awstats-7.8.tar.gz
d012866662206ffba9f84af437824324bf402a49ecb67161833b3f9593ccd4327db4b465d305c3ca78e5b29917acd469760faac6f7678055d4de01621f689c63 CVE-2020-35176.patch
3ccfd18e2d883a54dc70441852fe192294d105d975ca03afcead64caa44a32828489a29ccad922b7757c465796ca233761568f93da49bd7d726a2f35f2d543de CVE-2022-46391.patch
"
From 38682330e1ec3f3af95f9436640358b2d9e4a965 Mon Sep 17 00:00:00 2001
From: rekter0 <58881147+rekter0@users.noreply.github.com>
Date: Mon, 7 Nov 2022 15:12:03 +0100
Subject: [PATCH] fix cross site scripting
xss due to printing response from Net::XWhois without proper checks
---
wwwroot/cgi-bin/plugins/hostinfo.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/wwwroot/cgi-bin/plugins/hostinfo.pm b/wwwroot/cgi-bin/plugins/hostinfo.pm
index 95b2c20b7..1f0ac6994 100644
--- a/wwwroot/cgi-bin/plugins/hostinfo.pm
+++ b/wwwroot/cgi-bin/plugins/hostinfo.pm
@@ -181,7 +181,7 @@ sub BuildFullHTMLOutput_hostinfo {
&tab_head("Full Whois Field",0,0,'whois');
if ($w && $w->response()) {
- print "<tr><td class=\"aws\"><pre>".($w->response())."</pre></td></tr>\n";
+ print "<tr><td class=\"aws\"><pre>".CleanXSS($w->response())."</pre></td></tr>\n";
}
else {
print "<tr><td><br />The Whois command failed.<br />Did the server running AWStats is allowed to send WhoIs queries (If a firewall is running, port 43 should be opened from inside to outside) ?<br /><br /></td></tr>\n";
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment