From: eldy <>
Date: Thu, 22 Mar 2001 00:36:38 +0000 (+0000)
Subject: Fix check of parameters to avoid 'Cross Site Scripting attacks'
X-Git-Tag: AWSTATS_1_0~325
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=747a8143d69b2d44920a087418b059d053e71821;p=thirdparty%2FAWStats.git

Fix check of parameters to avoid 'Cross Site Scripting attacks'
---

diff --git a/awstats.pl b/awstats.pl
index 52a6b572..fda60dad 100644
--- a/awstats.pl
+++ b/awstats.pl
@@ -14,7 +14,7 @@
 #-------------------------------------------------------
 # Defines
 #-------------------------------------------------------
-$VERSION="2.24 (build 18)";
+$VERSION="2.24 (build 20)";
 $Lang=0;
 
 # Default value
@@ -733,82 +733,83 @@ $message[71][7]="
 $message[72][7]="Greek gr.png";
 
 # Czech (js@fsid.cvut.cz)
-$PageCode[8]="<META HTTP-EQUIV=\"content-type\" CONTENT=\"text/html; charset=ISO-8859-2\">";
+$PageCode[8]="<META HTTP-EQUIV=\"content-type\" CONTENT=\"text/html; charset=iso-8859-2\">";
 $message[0][8]="Neznámý";
-$message[1][8]="Neznámý (nepøeloená IP)";
+$message[1][8]="Neznámý (nepøelo¾ená IP)";
 $message[2][8]="Ostatní";
 $message[3][8]="Prohlédnout detaily";
 $message[4][8]="Den";
 $message[5][8]="Mìsíc";
 $message[6][8]="Rok";
 $message[8][8]="Statistika pro";
-$message[8][8]="První návtìva";
-$message[9][8]="Poslední návtìva";
-$message[10][8]="Poèet návtìv";
-$message[11][8]="Unikátní návtìvy";
-$message[12][8]="Návtìva";
+$message[8][8]="První náv¹tìva";
+$message[9][8]="Poslední náv¹tìva";
+$message[10][8]="Poèet náv¹tìv";
+$message[11][8]="Unikátní náv¹tìvy";
+$message[12][8]="Náv¹tìva";
 $message[13][8]="Výrazy";
 $message[14][8]="Hledání";
 $message[15][8]="Procenta";
 $message[16][8]="Provoz celkem";
 $message[17][8]="Domény / zemì";
-$message[18][8]="Návtìvy";
+$message[18][8]="Náv¹tìvy";
 $message[19][8]="Stránky/URL";
 $message[20][8]="Hodiny";
-$message[21][8]="Browsery (prohlíeèe)";
+$message[21][8]="Browsery (prohlí¾eèe)";
 $message[22][8]="HTTP Chyby";
 $message[23][8]="Reference";
 $message[24][8]="Hledané výrazy";
-$message[25][8]="Návtìvy domény/zemì";
+$message[25][8]="Náv¹tìvy domény/zemì";
 $message[26][8]="hosts";
 $message[27][8]="stránek";
-$message[28][8]="r;zné stránky";
+$message[28][8]="rùzné stránky";
 $message[29][8]="Pøistup";
 $message[30][8]="Jiná slova";
-$message[31][8]="Pouité browsery (prohlíeèe)";
+$message[31][8]="Pou¾ité browsery (prohlí¾eèe)";
 $message[32][8]="Chybové kódy HTTP ";
 $message[33][8]="Verze Netscape";
 $message[34][8]="Verze MS Internet Explorer";
-$message[35][8]="Pouitý OS";
+$message[35][8]="Pou¾itý OS";
 $message[36][8]="Konekce z";
 $message[37][8]="Pùvod";
 $message[38][8]="Pøímá adresa / Oblíbené (Bookmark)";
 $message[39][8]="Odkaz z Newsgroup";
 $message[40][8]="Odkaz z Internetového vyhledávaèe";
-$message[41][8]="Odkaz z jiné stránky (jiné stránky ne vyhledávaèe)";
+$message[41][8]="Odkaz z jiné stránky (jiné stránky ne¾ vyhledávaèe)";
 $message[42][8]="Odkaz z vlastní stránky (jiná stránka na serveru)";
-$message[43][8]="výrazy pouité ve vyhledávaèi";
+$message[43][8]="výrazy pou¾ité ve vyhledávaèi";
 $message[44][8]="Kb";
-$message[45][8]="NepøeloenáIP adresa";
-$message[46][8]="Neznámy OS (poloka Referer)";
-$message[47][8]="Poadované, ale nenalezené URL (HTTP 404)";
+$message[45][8]="Nepøelo¾ená IP adresa";
+$message[46][8]="Neznámy OS (polo¾ka Referer)";
+$message[47][8]="Po¾adované, ale nenalezené URL (HTTP 404)";
 $message[48][8]="IP Addresa";
 $message[49][8]="Chyba&nbsp;Dotazù";
-$message[50][8]="neznámý browser (prohlíeè) è (poloka Referer)";
-$message[51][8]="Návtìvnost robotù";
-$message[52][8]="návtìv/návtìvníka";
+$message[50][8]="neznámý browser (prohlí¾eè) (polo¾ka Referer)";
+$message[51][8]="Náv¹tìvnost robotù";
+$message[52][8]="náv¹tìv/náv¹tìvníka";
 $message[53][8]="Roboti";
-$message[54][8]="Volnì iøitelný nástroj pro analýzu web statistik";
+$message[54][8]="Volnì ¹iøitelný nástroj pro analýzu web statistik";
 $message[55][8]="z";
 $message[56][8]="Stránek";
-$message[57][8]="Dotazù";
+$message[57][8]="Hity";
 $message[58][8]="Verze";
 $message[59][8]="OS";
-$message[60][8]="Leden";
-$message[61][8]="Únor";
-$message[62][8]="Bøezen";
-$message[63][8]="Duben";
-$message[64][8]="Kveten";
-$message[65][8]="Èerven";
-$message[66][8]="Èervenec";
-$message[67][8]="Srpen";
-$message[68][8]="Záøí";
-$message[69][8]="Øíjen";
-$message[70][8]="Listopad";
-$message[71][8]="Prosinec";
+$message[60][8]="Led";
+$message[61][8]="Úno";
+$message[62][8]="Bøe";
+$message[63][8]="Dub";
+$message[64][8]="Kvì";
+$message[65][8]="Èer";
+$message[66][8]="Èvc";
+$message[67][8]="Srp";
+$message[68][8]="Záø";
+$message[69][8]="Øíj";
+$message[70][8]="Lis";
+$message[71][8]="Pro";
 $message[72][8]="Czech cz.png";
 
 
+
 # ---------- Browser lists ----------------
 # ("browser id in lower case", "browser text")
 %BrowsersHash = (
@@ -825,6 +826,7 @@ $message[72][8]="Czech cz.png";
 "antfresco","ANT Fresco",
 "bpftp","BPFTP",
 "cyberdog","Cyberdog",
+"dreamcast","Dreamcast",
 "downloadagent","DownloadAgent",
 "ecatch", "eCatch",
 "emailsiphon","EmailSiphon",
@@ -1250,7 +1252,7 @@ $message[72][8]="Czech cz.png";
 sub html_head {
 	print "<html>\n";
 	print "<head>\n";
-	if ($PageCode[$Lang] ne "") { print "$PageCode[$Lang]\n"; }
+	if ($PageCode[$Lang] ne "") { print "$PageCode[$Lang]\n"; }		# If not defined, iso-8859-1 is used in major countries
 	print "<meta http-equiv=\"description\" content=\"$PROG - Advanced Web Statistics for $LocalSite\">\n";
 	print "<meta http-equiv=\"keywords\" content=\"$LocalSite, free, advanced, realtime, web, server, logfile, log, analyzer, analysis, statistics, stats, perl, analyse, performance, hits, visits\">\n";
 	print "<meta name=\"robots\" content=\"index,follow\">\n";
@@ -1712,6 +1714,7 @@ else {
 }
 ($DIR=$0) =~ s/([^\/\\]*)$//; ($PROG=$1) =~ s/\.([^\.]*)$//; $Extension=$1;
 $LocalSite =~ tr/A-Z/a-z/;
+$LocalSite =~ s/<//;		# This is to avoid 'Cross Site Scripting attacks'
 $LocalSiteWithoutwww = $LocalSite; $LocalSiteWithoutwww =~ s/www\.//;
 if (($ENV{"GATEWAY_INTERFACE"} eq "") && ($ARGV[0] eq "" || $ARGV[0] ne "-h" || $ARGV[1] eq "")) {
 	print "----- $PROG $VERSION (c) Laurent Destailleur -----\n";
@@ -1775,10 +1778,11 @@ $nowsmallyear=$nowyear;$nowsmallyear =~ s/^..//;
 if (++$nowmonth < 10) { $nowmonth = "0$nowmonth"; }
 if ($nowday < 10) { $nowday = "0$nowday"; }
 
-if ($QueryString =~ /year=[\d][\d][\d][\d]/) { $YearRequired=$QueryString; $YearRequired =~ s/.*year=//; $YearRequired =~ s/&.*//; }
-if ($YearRequired eq "")  { $YearRequired=$nowyear; }
-if ($QueryString =~ /month=/)                { $MonthRequired=$QueryString; $MonthRequired =~ s/.*month=//; $MonthRequired =~ s/&.*//; }
-if ($MonthRequired eq "") { $MonthRequired=$nowmonth; }
+# Check year and month parameters (check is very restrictive to avoid 'cross site scripting attacks')
+if ($QueryString =~ /year=/) 	{ $YearRequired=$QueryString; $YearRequired =~ s/.*year=//; $YearRequired =~ s/&.*//; }
+if ($YearRequired !~ /^[\d][\d][\d][\d]$/) { $YearRequired=$nowyear; }
+if ($QueryString =~ /month=/)	{ $MonthRequired=$QueryString; $MonthRequired =~ s/.*month=//; $MonthRequired =~ s/&.*//; }
+if ($MonthRequired ne "year" && $MonthRequired !~ /^[\d][\d]$/) { $MonthRequired=$nowmonth; }
 
 $BrowsersHash{"netscape"}="<font color=blue>Netscape</font> <a href=\"$DirCgi$PROG.$Extension?action=browserdetail&site=$LocalSite&year=$YearRequired&month=$MonthRequired&lang=$Lang\">($message[58][$Lang])</a>";
 $BrowsersHash{"msie"}="<font color=blue>MS Internet Explorer</font> <a href=\"$DirCgi$PROG.$Extension?action=browserdetail&site=$LocalSite&year=$YearRequired&month=$MonthRequired&lang=$Lang\">($message[58][$Lang])</a>";
