Full Disclosure mailing list archives
Re: iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability
From: Martin Pitt <martin.pitt () canonical com>
Date: Thu, 11 Aug 2005 12:45:45 +0200
Hi Laurent, hi iDEFENSE! iDEFENSE Labs [2005-08-09 12:24 -0400]:
Shown as follows, the $url parameter contains unfiltered user-supplied data that is used in a call to the Perl routine eval() on lines 4841 and 4842 of awstats.pl (version 6.4): my $function="ShowInfoURL_$pluginname('$url')"; eval("$function");
Thanks for spotting this. Also, please note that you correctly state that this vulnerable code is from 6.4
iDEFENSE Labs has confirmed the existence of this vulnerability in AWStats 6.3. All earlier versions are suspected vulnerable. AWStats 6.4 has been released since the initial research on this vulnerability. AWStats 6.4 has replaced all eval() statements, and has mitigated the exposure to this vulnerability.
6.4 still contains loads of eval() statements, and still seems vulnerable against this flaw, since the quoted code hasn't changed at all.
This vulnerability has been addressed with the release of AWStats 6.4.
As far as I can see, it is not yet fixed even in upstream CVS in awstats.pl. http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstats.pl So am I totally confused and somehow this was fixed in a different place (although I can't see how)? Or is this not yet fixed at all? Thanks, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability iDEFENSE Labs (Aug 09)
- Re: iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability Martin Pitt (Aug 11)
- Re: iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability Laurent Destailleur (Eldy) (Aug 11)
- Re: iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability Martin Pitt (Aug 11)