Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 77963 - net-www/awstats Remote code execution
Summary: net-www/awstats Remote code execution
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://awstats.sourceforge.net/docs/a...
Whiteboard: B1 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-14 05:19 UTC by Jesús García Crespo (aka Sevein)
Modified: 2005-01-25 12:13 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jesús García Crespo (aka Sevein) 2005-01-14 05:19:56 UTC
AWStats Changelog
-----------------

***** 6.3 *****

New features/improvements:
- Added the geoip_isp_maxmind and geoip_org_maxmind plugin.

Fixes:
- The geoip_city_maxmind plugin was sometimes bind.
- Removed an unknown security hole.
- Removed an other unknown security hole (found by iDEFENSE).

Other/Documentation:
- Updated documentation
- Updated language files

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Carsten Lohrke (RETIRED) gentoo-dev 2005-01-14 06:29:59 UTC
Jes
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2005-01-14 06:29:59 UTC
Jesús: Please use New -> Gentoo Security -> Component: Vulnerabilites for such reports in future. Also a comment about the impact of the issue and links to the relevant advisories would be fine.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-14 06:32:58 UTC
Apache please verify and advise.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-01-14 10:29:42 UTC
http://ns3744.ovh.net/~ldestail/awstats/cvschangelogbuilder_awstats.html leaks:

Issue #1 ("allows a user to run perl code with web server permissions") 
http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstats.pl.diff?r1=1.786&r2=1.788

Issue #2 ("other unknown security hole (found by iDEFENSE)")
http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstats.pl.diff?r1=1.795&r2=1.796

Someone with time should look into those and tell us what it's really about.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-01-17 06:26:15 UTC
I looked at it and apparently awstats is using untrusted input in plugin handling that may end up executing user-supplied perl code. Looks like a local attack to me, allowing a local user which would have access to awstats to execute code as the web server user.

Downgrading severity. Apache herd, this is yours, please bump.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-01-18 05:37:55 UTC
iDEFENSE advisory @
http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities

excerpts:
======================================================================
DESCRIPTION

Remote exploitation of an input validation vulnerability in AWStats
allows attackers to execute arbitrary commands under the privileges of
the web server.
The problem specifically exists when the application is running as a
CGI script on a web server. The "configdir" parameter contains
unfiltered user-supplied data that is utilized in a call to the Perl
routine open() as can be seen here on line 1082 of awstats.pl:

    if (open(CONFIG,"$searchdir$PROG.$SiteConfig.conf"))

The "searchdir" variables hold the value of the parameter provided by
the attacker from "configdir." An attacker can cause arbitrary commands
to be executed by prefixing them with the "|" character.

ANALYSIS

Successful exploitation allows remote attackers to execute arbitrary
commands under the privileges of the web server. This can lead to
further compromise as it provides remote attackers with local access.

WORKAROUND

Add a filter around the "configdir" parameter by replacing the following
line:

    if ($QueryString =~ /configdir=([^&]+)/i)
    {
        $DirConfig=&DecodeEncodedString("$1");
    }

With:

    if ($QueryString =~ /configdir=([^&]+)/i)
    {
        $DirConfig=&DecodeEncodedString("$1");
        $DirConfig=~tr/a-z0-9_\-\/\./a-z0-9_\-\/\./cd;
    }
=================================================================
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-01-20 01:20:12 UTC
zul, I think it's your turf.
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-23 22:35:48 UTC
Nothing yet. Stuart please fix/mask.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-01-24 02:33:33 UTC
If it stays masked we should issue a Masking GLSA.
Comment 10 Aaron Walker (RETIRED) gentoo-dev 2005-01-24 06:47:45 UTC
6.3 is in CVS and stable on x86.  6.1 is also currently marked stable on ppc.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-01-24 08:48:57 UTC
Thanks a lot for saving this package !
Comment 12 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-01-25 10:31:09 UTC
Stable on ppc.
Comment 13 Luke Macken (RETIRED) gentoo-dev 2005-01-25 12:13:30 UTC
GLSA 200501-36