Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
From: Thom Craver <tcraver@xxxxxxxxxxxx>
Date: Wed, 16 Feb 2005 09:47:07 -0500
In-reply-to: <42126DAD.7090704@xxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Corporate Communications
References: <20050214081040.3370.qmail@xxxxxxxxxxxxxxxxxxxxx> <42121439.6020505@xxxxxxxxxxx> <42124CB7.4020909@xxxxxxxxxxx> <421252E8.8070200@xxxxxxxxxxx> <42126BBB.90606@xxxxxxxxxxxx> <42126DAD.7090704@xxxxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)

Jamie Pratt wrote:

Still no dice on 6.3, even with the "config=www.site.org" etc,etc..same error. So.. Can we all agree that 6.3 is not vulnerable, becauseI'd rather not upgrade to a dev/unstable release for no reason...


I can confirm the bug on 6.3 running Apache 2.0.52.

Furthermore, ANY system command inserted in the system() call can beexecuted. This is a very serious bug. Unpriviledged user or not, withan .rhosts file on a potential attacker's end, scp would work justnicely, then a chmod, then execution of any script they wanted to upload.

This issue is not to be taken lightly.

Until this issue is resolved, we have commented out the Plugin lines:
# AWStats output is replaced by a plugin output
if ($PluginMode) {
      my $function="BuildFullHTMLOutput_$PluginMode()";
      eval("$function");
      if ($? || $@) { error("$@"); }
      &html_end(0);
      exit 0;
}

If a plugin is called, it is apparently ignored and the stats are displayed.

--
Thom Craver
Corporate Communications, Inc.
www.corp-com.com

585.262.3430

References:
- AWStats <= 6.4 Multiple vulnerabilities
  - From: GHC
- Re: AWStats <= 6.4 Multiple vulnerabilities
  - From: Ondra Holecek
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
  - From: Jamie Pratt
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
  - From: Ondra Holecek
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
  - From: Herman Sheremetyev
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
  - From: Jamie Pratt

Prev by Date: [CLA-2005:925] Conectiva Security Announcement - evolution
Next by Date: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Previous by thread: Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
Next by thread: Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
Index(es):
- Date
- Thread