[NEWS] AWStats Remote Command Execution Vulnerability (configdir)
From: SecuriTeam (support_at_securiteam.com)
Date: 01/18/05
- Previous message: SecuriTeam: "[NT] Internet Explorer Handling of %20 Allows Spoofing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 18 Jan 2005 11:37:58 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
AWStats Remote Command Execution Vulnerability (configdir)
------------------------------------------------------------------------
SUMMARY
<http://awstats.sourceforge.net> AWStats is "a free tool that generates
advanced web, ftp or mail server statistics, graphically". Remote
exploitation of an input validation vulnerability in AWStats allows
attackers to execute arbitrary commands under the privileges of the web
server.
DETAILS
Vulnerable Systems:
* AWStats version 6.1 and prior
Immune Systems:
* AWStats version 6.3 or newer
The problem specifically exists when the application is running as a CGI
script on a web server. The "configdir" parameter contains
unfiltered user-supplied data that is utilized in a call to the Perl
routine open() as can be seen here on line 1082 of awstats.pl:
if (open(CONFIG,"$searchdir$PROG.$SiteConfig.conf"))
The "searchdir" variables hold the value of the parameter provided by the
attacker from "configdir." An attacker can cause arbitrary commands to be
executed by prefixing them with the "|" character.
Analysis:
Successful exploitation allows remote attackers to execute arbitrary
commands under the privileges of the web server. This can lead to further
compromise as it provides remote attackers with local access.
Workaround:
Add a filter around the "configdir" parameter by replacing the following
line:
if ($QueryString =~ /configdir=([^&]+)/i)
{
$DirConfig=&DecodeEncodedString("$1");
}
With:
if ($QueryString =~ /configdir=([^&]+)/i)
{
$DirConfig=&DecodeEncodedString("$1");
$DirConfig=~tr/a-z0-9_\-\/\./a-z0-9_\-\/\./cd;
}
Vendor response:
This vulnerability is addressed in AWStats 6.3, available for download at:
<http://awstats.sourceforge.net/#DOWNLOAD>
http://awstats.sourceforge.net/#DOWNLOAD
Exploit:
The following URL will create a file named 'id' in the tmp directory of
the remote server with the content of the command /usr/bin/id:
http://vulnerable/cgi-bin/awstats.pl?configdir=/usr/bin/id%20%3E%20/tmp/id%20|%20
Disclosure timeline:
10/21/2004 - Initial vendor notification
01/02/2005 - Initial vendor response
01/17/2005 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE. The exploit has been
provided by <mailto:expert@securiteam.com> Noam Rathaus of Beyond
Security Ltd.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Internet Explorer Handling of %20 Allows Spoofing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Qualcomm WorldMail IMAP Server Directory Traversal
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Exploitation of a directory
transversal vulnerability in Qualcomm ... WorldMail IMAP Server allows attackers
to read any email stored on the ... (Securiteam) - [NT] Multiple Vulnerabilities in HP Web JetAdmin (Read, Write, Execute, Path Disclosure, Password De
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... HP Web JetAdmin is an enterprise
management system for large amounts of HP ... The web server is a modular service ...
HP Web JetAdmin uses it's own encryption. ... (Securiteam) - [NEWS] Multiple Vulnerabilities in Oracle Database (Character Conversion, Extproc, Password Disclosu
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities were
discovered in the (Oracle database server ... password is required to exploit this vulnerability.
... (Securiteam) - [NEWS] ColdFusion MX Oversize Error Message DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... ColdFusion MX "is the solution
for building and deploying powerful web ... shoots up and stays there until the server
completes writing the error ... a long string of data as a GET or POST request to ...
(Securiteam) - [NT] F-Secure Internet Gatekeeper Content Scanning Server DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... " <http://www.f-secure.com/products/anti-virus/fsigk/>
F-Secure Internet ... the Content Scanner Server. ... The vendor has been
contacted and confirmed the existence of the problem ... (Securiteam)
