Package: awstats
Followup-For: Bug #626185
This issue is essentially the same as Bug #706076 from Apr 2013:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706076
Unfortunately, that one was closed prematurely, which is why this bug
still exists after 1.5 years. This is really a hassle to system
administrators, and essentially describes a possible DOS attack
against AWstats. Please do take it serious!
To reproduce, all you need is a locally running Apache. Then, the
following command:
wget https://localhost:80/
triggers the following line in Apache's access.log:
127.0.0.1 - - [11/Jan/2015:18:48:38 +0000] "\x16\x03" 500 572 "-" "-"
If you (or some malicious/dumb client) does this 50 times quickly,
AWstats refuses to process this "invalid" log.
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
