Re: chkrootkit has me worried!

[Rick Moen <rick@linuxmafia.com>]

Quoting Geoff Crompton (geoff.crompton@strategicdata.com.au):

> The most recent vulnerability that I was aware of in Awstats can still
> work even in static mode. http://www.securityfocus.com/bid/14525. The
> referrer in the log file is not sanity checked.

Hmm.  I note:  "It should be noted this vulnerability is only possible
if the affected application has at least one URLPlugin enabled."

The iDefense advisory casts light on the problem Perl snippet:

   the $url parameter contains unfiltered user-supplied
   data that is used in a call to the Perl routine eval() on lines 4841
   and 4842 of awstats.pl (version 6.4):

   my $function="ShowInfoURL_$pluginname('$url')";
   eval("$function");

   The malicious referrer value will be included in the referrer
   statistics portion of the AWStats report after AWStats has been run
   to generate a new report including the tainted data. Once a user
   visits the referrer statistics page, the injected perl code will
   execute with permissions of the web service.

Unsafe data passed to eval().  Sheesh!

> I would agree with that idea. In fact, I've just lodged a bug report
> along those lines. Bug #341308.

Thank you, Geoff!