AWStats Changelog ----------------- ***** 6.3 ***** New features/improvements: - Added the geoip_isp_maxmind and geoip_org_maxmind plugin. Fixes: - The geoip_city_maxmind plugin was sometimes bind. - Removed an unknown security hole. - Removed an other unknown security hole (found by iDEFENSE). Other/Documentation: - Updated documentation - Updated language files Reproducible: Always Steps to Reproduce: 1. 2. 3.
Jes
Jesús: Please use New -> Gentoo Security -> Component: Vulnerabilites for such reports in future. Also a comment about the impact of the issue and links to the relevant advisories would be fine.
Apache please verify and advise.
http://ns3744.ovh.net/~ldestail/awstats/cvschangelogbuilder_awstats.html leaks: Issue #1 ("allows a user to run perl code with web server permissions") http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstats.pl.diff?r1=1.786&r2=1.788 Issue #2 ("other unknown security hole (found by iDEFENSE)") http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstats.pl.diff?r1=1.795&r2=1.796 Someone with time should look into those and tell us what it's really about.
I looked at it and apparently awstats is using untrusted input in plugin handling that may end up executing user-supplied perl code. Looks like a local attack to me, allowing a local user which would have access to awstats to execute code as the web server user. Downgrading severity. Apache herd, this is yours, please bump.
iDEFENSE advisory @ http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities excerpts: ====================================================================== DESCRIPTION Remote exploitation of an input validation vulnerability in AWStats allows attackers to execute arbitrary commands under the privileges of the web server. The problem specifically exists when the application is running as a CGI script on a web server. The "configdir" parameter contains unfiltered user-supplied data that is utilized in a call to the Perl routine open() as can be seen here on line 1082 of awstats.pl: if (open(CONFIG,"$searchdir$PROG.$SiteConfig.conf")) The "searchdir" variables hold the value of the parameter provided by the attacker from "configdir." An attacker can cause arbitrary commands to be executed by prefixing them with the "|" character. ANALYSIS Successful exploitation allows remote attackers to execute arbitrary commands under the privileges of the web server. This can lead to further compromise as it provides remote attackers with local access. WORKAROUND Add a filter around the "configdir" parameter by replacing the following line: if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&DecodeEncodedString("$1"); } With: if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&DecodeEncodedString("$1"); $DirConfig=~tr/a-z0-9_\-\/\./a-z0-9_\-\/\./cd; } =================================================================
zul, I think it's your turf.
Nothing yet. Stuart please fix/mask.
If it stays masked we should issue a Masking GLSA.
6.3 is in CVS and stable on x86. 6.1 is also currently marked stable on ppc.
Thanks a lot for saving this package !
Stable on ppc.
GLSA 200501-36
