Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 77963

Summary: net-www/awstats Remote code execution
Product: Gentoo Security Reporter: Jesús García Crespo (aka Sevein) <correo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: apache-bugs, compnerd, ka0ttic, marek.wiecek
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Jesús García Crespo (aka Sevein) 2005-01-14 05:19:56 UTC
AWStats Changelog

***** 6.3 *****

New features/improvements:
- Added the geoip_isp_maxmind and geoip_org_maxmind plugin.

- The geoip_city_maxmind plugin was sometimes bind.
- Removed an unknown security hole.
- Removed an other unknown security hole (found by iDEFENSE).

- Updated documentation
- Updated language files

Reproducible: Always
Steps to Reproduce:
Comment 1 Carsten Lohrke (RETIRED) gentoo-dev 2005-01-14 06:29:59 UTC
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2005-01-14 06:29:59 UTC
Jesús: Please use New -> Gentoo Security -> Component: Vulnerabilites for such reports in future. Also a comment about the impact of the issue and links to the relevant advisories would be fine.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-14 06:32:58 UTC
Apache please verify and advise.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-01-14 10:29:42 UTC leaks:

Issue #1 ("allows a user to run perl code with web server permissions")

Issue #2 ("other unknown security hole (found by iDEFENSE)")

Someone with time should look into those and tell us what it's really about.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-01-17 06:26:15 UTC
I looked at it and apparently awstats is using untrusted input in plugin handling that may end up executing user-supplied perl code. Looks like a local attack to me, allowing a local user which would have access to awstats to execute code as the web server user.

Downgrading severity. Apache herd, this is yours, please bump.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-01-18 05:37:55 UTC
iDEFENSE advisory @


Remote exploitation of an input validation vulnerability in AWStats
allows attackers to execute arbitrary commands under the privileges of
the web server.
The problem specifically exists when the application is running as a
CGI script on a web server. The "configdir" parameter contains
unfiltered user-supplied data that is utilized in a call to the Perl
routine open() as can be seen here on line 1082 of

    if (open(CONFIG,"$searchdir$PROG.$SiteConfig.conf"))

The "searchdir" variables hold the value of the parameter provided by
the attacker from "configdir." An attacker can cause arbitrary commands
to be executed by prefixing them with the "|" character.


Successful exploitation allows remote attackers to execute arbitrary
commands under the privileges of the web server. This can lead to
further compromise as it provides remote attackers with local access.


Add a filter around the "configdir" parameter by replacing the following

    if ($QueryString =~ /configdir=([^&]+)/i)


    if ($QueryString =~ /configdir=([^&]+)/i)
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-01-20 01:20:12 UTC
zul, I think it's your turf.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-23 22:35:48 UTC
Nothing yet. Stuart please fix/mask.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-01-24 02:33:33 UTC
If it stays masked we should issue a Masking GLSA.
Comment 10 Aaron Walker (RETIRED) gentoo-dev 2005-01-24 06:47:45 UTC
6.3 is in CVS and stable on x86.  6.1 is also currently marked stable on ppc.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-01-24 08:48:57 UTC
Thanks a lot for saving this package !
Comment 12 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-01-25 10:31:09 UTC
Stable on ppc.
Comment 13 Luke Macken (RETIRED) gentoo-dev 2005-01-25 12:13:30 UTC
GLSA 200501-36