77963 2005-01-14 05:19 0000 net-www/awstats Remote code execution 2005-01-25 12:13:30 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://awstats.sourceforge.net/docs/awstats_changelog.txt B1 [glsa] jaervosz P2 major --- 1 correo@sevein.com security@gentoo.org apache-bugs@gentoo.org compnerd@gentoo.org ka0ttic@gentoo.org marek.wiecek@gmail.com correo@sevein.com 2005-01-14 05:19:56 0000 AWStats Changelog ----------------- ***** 6.3 ***** New features/improvements: - Added the geoip_isp_maxmind and geoip_org_maxmind plugin. Fixes: - The geoip_city_maxmind plugin was sometimes bind. - Removed an unknown security hole. - Removed an other unknown security hole (found by iDEFENSE). Other/Documentation: - Updated documentation - Updated language files Reproducible: Always Steps to Reproduce: 1. 2. 3. carlo@gentoo.org 2005-01-14 06:29:59 0000 Jes carlo@gentoo.org 2005-01-14 06:29:59 0000 Jesús: Please use New -> Gentoo Security -> Component: Vulnerabilites for such reports in future. Also a comment about the impact of the issue and links to the relevant advisories would be fine. jaervosz@gentoo.org 2005-01-14 06:32:58 0000 Apache please verify and advise. koon@gentoo.org 2005-01-14 10:29:42 0000 http://ns3744.ovh.net/~ldestail/awstats/cvschangelogbuilder_awstats.html leaks: Issue #1 ("allows a user to run perl code with web server permissions") http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstats.pl.diff?r1=1.786&r2=1.788 Issue #2 ("other unknown security hole (found by iDEFENSE)") http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstats.pl.diff?r1=1.795&r2=1.796 Someone with time should look into those and tell us what it's really about. koon@gentoo.org 2005-01-17 06:26:15 0000 I looked at it and apparently awstats is using untrusted input in plugin handling that may end up executing user-supplied perl code. Looks like a local attack to me, allowing a local user which would have access to awstats to execute code as the web server user. Downgrading severity. Apache herd, this is yours, please bump. koon@gentoo.org 2005-01-18 05:37:55 0000 iDEFENSE advisory @ http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities excerpts: ====================================================================== DESCRIPTION Remote exploitation of an input validation vulnerability in AWStats allows attackers to execute arbitrary commands under the privileges of the web server. The problem specifically exists when the application is running as a CGI script on a web server. The "configdir" parameter contains unfiltered user-supplied data that is utilized in a call to the Perl routine open() as can be seen here on line 1082 of awstats.pl: if (open(CONFIG,"$searchdir$PROG.$SiteConfig.conf")) The "searchdir" variables hold the value of the parameter provided by the attacker from "configdir." An attacker can cause arbitrary commands to be executed by prefixing them with the "|" character. ANALYSIS Successful exploitation allows remote attackers to execute arbitrary commands under the privileges of the web server. This can lead to further compromise as it provides remote attackers with local access. WORKAROUND Add a filter around the "configdir" parameter by replacing the following line: if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&DecodeEncodedString("$1"); } With: if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&DecodeEncodedString("$1"); $DirConfig=~tr/a-z0-9_\-\/\./a-z0-9_\-\/\./cd; } ================================================================= koon@gentoo.org 2005-01-20 01:20:12 0000 zul, I think it's your turf. jaervosz@gentoo.org 2005-01-23 22:35:48 0000 Nothing yet. Stuart please fix/mask. koon@gentoo.org 2005-01-24 02:33:33 0000 If it stays masked we should issue a Masking GLSA. ka0ttic@gentoo.org 2005-01-24 06:47:45 0000 6.3 is in CVS and stable on x86. 6.1 is also currently marked stable on ppc. koon@gentoo.org 2005-01-24 08:48:57 0000 Thanks a lot for saving this package ! hansmi@gentoo.org 2005-01-25 10:31:09 0000 Stable on ppc. lewk@gentoo.org 2005-01-25 12:13:30 0000 GLSA 200501-36