Re: iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability

[Martin Pitt <martin.pitt () canonical com>]

Hi Laurent, hi iDEFENSE!

iDEFENSE Labs [2005-08-09 12:24 -0400]:
> Shown as follows, the $url parameter contains unfiltered user-supplied 
> data that is used in a call to the Perl routine eval() on lines 4841 
> and 4842 of awstats.pl (version 6.4):
>
>      my $function="ShowInfoURL_$pluginname('$url')";
>      eval("$function");

Thanks for spotting this. Also, please note that you correctly state
that this vulnerable code is from 6.4

> iDEFENSE Labs has confirmed the existence of this vulnerability in 
> AWStats 6.3. All earlier versions are suspected vulnerable. AWStats 6.4 
> has been released since the initial research on this vulnerability. 
> AWStats 6.4 has replaced all eval() statements, and has mitigated the 
> exposure to this vulnerability.

6.4 still contains loads of eval() statements, and still seems
vulnerable against this flaw, since the quoted code hasn't changed at
all.

> This vulnerability has been addressed with the release of AWStats 6.4.

As far as I can see, it is not yet fixed even in upstream CVS in
awstats.pl.

  http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstats.pl

So am I totally confused and somehow this was fixed in a different
place (although I can't see how)? Or is this not yet fixed at all?

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/