Bug 77963 - net-www/awstats Remote code execution
|
Bug#:
77963
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: major
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: correo@sevein.com
|
|
Component: Vulnerabilities
|
|
|
URL:
http://awstats.sourceforge.net/docs/awstats_changelog.txt
|
|
Summary: net-www/awstats Remote code execution
|
|
Keywords:
|
|
Status Whiteboard: B1 [glsa] jaervosz
|
|
Opened: 2005-01-14 05:19 0000
|
AWStats Changelog
-----------------
***** 6.3 *****
New features/improvements:
- Added the geoip_isp_maxmind and geoip_org_maxmind plugin.
Fixes:
- The geoip_city_maxmind plugin was sometimes bind.
- Removed an unknown security hole.
- Removed an other unknown security hole (found by iDEFENSE).
Other/Documentation:
- Updated documentation
- Updated language files
Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Jesús: Please use New -> Gentoo Security -> Component: Vulnerabilites for such
reports in future. Also a comment about the impact of the issue and links to
the relevant advisories would be fine.
Apache please verify and advise.
I looked at it and apparently awstats is using untrusted input in plugin
handling that may end up executing user-supplied perl code. Looks like a local
attack to me, allowing a local user which would have access to awstats to
execute code as the web server user.
Downgrading severity. Apache herd, this is yours, please bump.
iDEFENSE advisory @
http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities
excerpts:
======================================================================
DESCRIPTION
Remote exploitation of an input validation vulnerability in AWStats
allows attackers to execute arbitrary commands under the privileges of
the web server.
The problem specifically exists when the application is running as a
CGI script on a web server. The "configdir" parameter contains
unfiltered user-supplied data that is utilized in a call to the Perl
routine open() as can be seen here on line 1082 of awstats.pl:
if (open(CONFIG,"$searchdir$PROG.$SiteConfig.conf"))
The "searchdir" variables hold the value of the parameter provided by
the attacker from "configdir." An attacker can cause arbitrary commands
to be executed by prefixing them with the "|" character.
ANALYSIS
Successful exploitation allows remote attackers to execute arbitrary
commands under the privileges of the web server. This can lead to
further compromise as it provides remote attackers with local access.
WORKAROUND
Add a filter around the "configdir" parameter by replacing the following
line:
if ($QueryString =~ /configdir=([^&]+)/i)
{
$DirConfig=&DecodeEncodedString("$1");
}
With:
if ($QueryString =~ /configdir=([^&]+)/i)
{
$DirConfig=&DecodeEncodedString("$1");
$DirConfig=~tr/a-z0-9_\-\/\./a-z0-9_\-\/\./cd;
}
=================================================================
zul, I think it's your turf.
Nothing yet. Stuart please fix/mask.
If it stays masked we should issue a Masking GLSA.
6.3 is in CVS and stable on x86. 6.1 is also currently marked stable on ppc.
Thanks a lot for saving this package !
