Bugtraq mailing list archives
Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
From: Thom Craver <tcraver () corp-com com>
Date: Wed, 16 Feb 2005 09:47:07 -0500
Jamie Pratt wrote:
Still no dice on 6.3, even with the "config=www.site.org" etc,etc.. same error. So.. Can we all agree that 6.3 is not vulnerable, because I'd rather not upgrade to a dev/unstable release for no reason...
I can confirm the bug on 6.3 running Apache 2.0.52.Furthermore, ANY system command inserted in the system() call can be executed. This is a very serious bug. Unpriviledged user or not, with an .rhosts file on a potential attacker's end, scp would work just nicely, then a chmod, then execution of any script they wanted to upload.
This issue is not to be taken lightly. Until this issue is resolved, we have commented out the Plugin lines: # AWStats output is replaced by a plugin output if ($PluginMode) { my $function="BuildFullHTMLOutput_$PluginMode()"; eval("$function"); if ($? || $@) { error("$@"); } &html_end(0); exit 0; } If a plugin is called, it is apparently ignored and the stats are displayed. -- Thom Craver Corporate Communications, Inc. www.corp-com.com585.262.3430
Current thread:
- AWStats <= 6.4 Multiple vulnerabilities GHC (Feb 14)
- Re: AWStats <= 6.4 Multiple vulnerabilities Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Jamie Pratt (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Herman Sheremetyev (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Jamie Pratt (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Thom Craver (Feb 16)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Micah Brandon (Feb 16)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Matt Wilder (Feb 17)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Jamie Pratt (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Ondra Holecek (Feb 15)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? twebster (Feb 15)