Details =======
Introduction ============
iDefense found a remote command execution vulnerability in awstats <= 6.2, see CAN-2005-0116.
The official awstats website tells users that they are safe from remote command execution if they set the variable $!AllowToUpdateStatsFromBrowser to 0. This is not true, as the exploit can still be triggered.
More Details ============
In awstats.pl the variable $configdir, which is used to exploit, can still be set remotely. Setting $!AllowToUpdateStatsFromBrowser to 0 only removes the link to the button which can be used to trigger updates. The variable can still be assigned per GET request.
Proof of Concept ================
Workaround ==========
Use the workaround provided by iDefense. See their advisory for the original vulnerability.
Fix ===
Security Risk =============
History =======
2005-02-12 eldy@xxxxxxxxxxxxxxxxxxxxx informed 2005-02-12 CVE number requested 2005-02-14 issue does not qualify for a CVE number. posted.
RedTeam =======
RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more Information on the RedTeam Project at http://tsyklon.informatik.rwth-aachen.de/redteam/
-- Maximillian Dornseif, Dipl. Jur., CISSP Laboratory for Dependable Distributed Systems, RWTH Aachen University Tel. +49 241 80-21431 - http://md.hudora.de/
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html