The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
AWStats ShowInfoURL Remote Command Execution
------------------------------------------------------------------------
SUMMARY
" <http://awstats.sourceforge.net/> AWStats is a free powerful and
featureful tool that generates advanced web, streaming, ftp or mail server
statistics, graphically. "
Remote exploitation of an input validation vulnerability in AWStats allows
remote attackers to execute arbitrary commands.
DETAILS
Vulnerable Systems:
* AWStats version 6.3 and prior
Immune Systems:
* AWStats version 6.4
AWStats is a logfile analysis tool that generates reports for ftp, mail
and web traffic. The problem specifically exists because of insufficient
input filtering before passing user-supplied data to an eval() function.
As part of the statistics reporting function, AWStats displays information
about the most common referrer values that caused users to visit the
website. The referrer data is used without proper sanitation in an eval()
statement, resulting in the execution of arbitrary perl code.
Shown as follows, the $url parameter contains unfiltered user-supplied
data that is used in a call to the Perl routine eval() on lines 4841 and
4842 of awstats.pl (version 6.4):
my $function="ShowInfoURL_$pluginname('$url')";
eval("$function");
The malicious referrer value will be included in the referrer statistics
portion of the AWStats report after AWStats has been run to generate a new
report including the tainted data. Once a user visits the referrer
statistics page, the injected perl code will execute with permissions of
the web service.
Successful exploitation results in the execution of arbitrary commands
with permissions of the web service. Exploitation will not occur until the
stats page has been regenerated with the tainted referrer values from the
http access log. Note that AWStats is only vulnerable in situations where
at least one URLPlugin is enabled.
Workaround:
Disable all URLPlugins in the AWStats configuration.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1527>
CAN-2005-1527
Disclosure Timeline:
05/12/2005 - Initial vendor notification
08/09/2005 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities>
http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
