Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?

From: Thom Craver (tcraver_at_corp-com.com)
Date: 02/16/05

  • Next message: Thor (Hammer of God): "Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs."
    Date: Wed, 16 Feb 2005 09:47:07 -0500
    To: bugtraq@securityfocus.com
    
    

    Jamie Pratt wrote:

    > Still no dice on 6.3, even with the "config=www.site.org" etc,etc..
    > same error. So.. Can we all agree that 6.3 is not vulnerable, because
    > I'd rather not upgrade to a dev/unstable release for no reason...

    I can confirm the bug on 6.3 running Apache 2.0.52.

    Furthermore, ANY system command inserted in the system() call can be
    executed. This is a very serious bug. Unpriviledged user or not, with
    an .rhosts file on a potential attacker's end, scp would work just
    nicely, then a chmod, then execution of any script they wanted to upload.

    This issue is not to be taken lightly.

    Until this issue is resolved, we have commented out the Plugin lines:
    # AWStats output is replaced by a plugin output
    if ($PluginMode) {
           my $function="BuildFullHTMLOutput_$PluginMode()";
           eval("$function");
           if ($? || $@) { error("$@"); }
           &html_end(0);
           exit 0;
    }

    If a plugin is called, it is apparently ignored and the stats are displayed.

    -- 
    Thom Craver
    Corporate Communications, Inc.
    www.corp-com.com
    585.262.3430 
    

  • Next message: Thor (Hammer of God): "Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs."