[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

AWStats Multiple Unspecified Remote Input Validation Vulnerabilities

  2005/02/03, wiki.debian.org.tw was hax0red by aneurysm.inc who
is a cracker from Brasil. He successful changed several web pages
on the host, but failed to bind a shell or install a trojan. He
filed a defacement on zone-h.org.
http://www.zone-h.org/en/defacements/view/id=2038714/

  I notified that Joey did a NUM with patch from Ubuntu 20 days ago,
but the patch did not addressed all vulnerabilities. There is
another input validation vulnerability. The "pluginmode" parameter
can be exploited in a call to the perl routine eval() which allows
attackers to execute arbitrary commands.

You can see on line 5660-5666 of awstats.pl 6.2. An attacker can prefix
arbitrary commands with the ':system(cmd)' or ';system(cmd)' through a
URI parameter. The attachment is my quick and dirty workaround patch.

  5659	# AWStats output is replaced by a plugin output
  5660	if ($PluginMode) {
  5661		my $function="BuildFullHTMLOutput_$PluginMode()";
  5662		eval("$function");
  5663		if ($? || $@) { error("$@"); }
  5664		&html_end(0);
  5665		exit 0;
  5666	}

Please
  * announce a DSA.
  * upgrade to awstats 6.3 ASAP.

Best Regards
-Rex


--- awstats.pl	2005-02-06 06:05:54.000000000 +0800
+++ awstats.pl.orig	2004-10-31 02:02:24.000000000 +0800
@@ -5333,8 +5333,8 @@
 
 	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&DecodeEncodedString("$1"); }
 	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons=&DecodeEncodedString("$1"); }
-	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&DecodeEncodedString("$1"); $PluginMode =~ s/[^\w_\-\\\/\.\s]//g}
-	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&DecodeEncodedString("$1"); $DirConfig =~ s/[^\w_\-\\\/\.\s]//g }
+	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&DecodeEncodedString("$1"); }
+	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&DecodeEncodedString("$1"); }
 	# All filters
 	if ($QueryString =~ /hostfilter=([^&]+)/i)			{ $FilterIn{'host'}=&DecodeEncodedString("$1"); }			# Filter on host list can also be defined with hostfilter=filter
 	if ($QueryString =~ /hostfilterex=([^&]+)/i)		{ $FilterEx{'host'}=&DecodeEncodedString("$1"); }			#

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: