Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 92096

Summary: net-www/awstats exploit
Product: Gentoo Security Reporter: bin-doph <bauer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: critical CC: beu, ka0ttic
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.frsirt.com/english/advisories/2005/0032
Whiteboard:
Package list:
Runtime testing required: ---

Description bin-doph 2005-05-10 02:50:45 UTC 
The script awstats.pl, which comes with awstats is vulnerable to specific urls (pipes in urls aren't parsed properly and commands are executed)

http://sourceforge.net/tracker/index.php?func=detail&aid=1198578&group_id=13764&atid=113764

Reproducible: Always
Steps to Reproduce:
1. Search a webserver running awstats.
2. Check if /cgi-bin/awstats.pl is accessable (the internal awstats-remote-ip-check doesn't work for this exploit...)
3. Add commands to the URL-parameter configdir=|echo;uname%20-a
4. Suprise

Actual Results:  
If I take the url provided above, I'd see the output of uname -a and then the
html-output of the awstats-script in text/plain

Expected Results:  
It should have parsed the | out and other stuff to prevent execution of programs

This exploit is currently used by a lot of spammers to upload and execute
spam-scripts to webservers. Restricting the access to the cgi-bin with
Allow,Deny-directives through apache is a workaround.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-10 03:00:06 UTC 
Aaron please advise.
Comment 2 bin-doph 2005-05-11 05:43:33 UTC 
This is the source of the exploit-shell. Not only the configdir-paramter is unsecure... changing the name of the cgi-bin is also a workaround.

http://www.addict3d.org/index.php?page=viewarticle&type=security&ID=3397
Comment 3 Elfyn McBratney (beu) (RETIRED) gentoo-dev 2005-05-11 07:31:00 UTC 
Tested with both 6.3-r2 and 6.4 with the poc code[1], and by hand.  We're
clean.

[1] http://www.frsirt.com/exploits/20050302.awstats_shell.c.php
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-11 07:33:30 UTC 
Closing as INVALID. Feel free to reopen if you disagree.