[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit has me worried!



> So, here's my favourite example of the "bad implementation" problem:
> AWstats.  It's had a long history of:
> 
> o  Someone finds yet another way its stats-generating CGI can be subverted by
>    sending it aberrant URL information from the public.
> o  The upstream maintainer issues an update.
> o  Debian issues a new package.
> o  An exploit emerges and gets rolled into automated attack tools.
> o  Lather, rinse, repeat.
> 
> If you look more closely at AWstats, you might start to wonder:  "I
> guess the author never quite got input validation right.  But why 
> does it have to run as a CGI (awstats.pl) in the first place?  Can't it
> run as a cronjob, instead, generating the same stats page as static HTML
> every hour, instead?"


The most recent vulnerability that I was aware of in Awstats can still
work even in static mode. http://www.securityfocus.com/bid/14525. The
referrer in the log file is not sanity checked.

Unfortunately awstats seems to have organically grown as a single perl
script. This one script is upto almost 50000 lines of code. I've looked
a little at the code, and I can't say it is easy to follow. But it does
seem to do a good job of generating stats. I just don't feel comfortable
trusting it on my servers.

> 
> And you'd be right to wonder.  That's a solved problem, thanks to Steve
> Kemp over at debian-administration.org:
> http://www.debian-administration.org/articles/85
> 
> I keep meaning to file a very polite bug with Debian maintainer Jonas
> Smedegaard, suggesting that static-page mode be the default since
> upstream's CGI default is (in my opinion) too risky, but I haven't done
> that yet.
> 

I would agree with that idea. In fact, I've just lodged a bug report
along those lines. Bug #341308.

-- 
Geoff Crompton
Debian System Administrator
Strategic Data
+61 3 9340 9000



Reply to: