AWStats awstats.pl configdir Parameter Arbitrary Command Execution

2005-01-01T01:11:30
ID OSVDB:13002
Type osvdb
Reporter iDEFENSE(idlabs-advisories@idefense.com)
Modified 2005-01-01T01:11:30

Description

Vulnerability Description

AWStats contains a flaw that may allow a malicious user to issue arbitray commands under the web server privileges. The issue is triggered when using the pipe character (|) and shell metacaracters in the 'configdir' variable of the awstat.pl script. Such input is not santitized before being passed to the perl 'open()' command to be executed.

Technical Description

The AWstats website announced that installations are safe from remote command execution if you set the variable '$!AllowToUpdateStatsFromBrowser' to '0' (off). However, subsequent testing indicates this does not fully mitigate the vulnerability.

Solution Description

Upgrade to version 6.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

AWStats contains a flaw that may allow a malicious user to issue arbitray commands under the web server privileges. The issue is triggered when using the pipe character (|) and shell metacaracters in the 'configdir' variable of the awstat.pl script. Such input is not santitized before being passed to the perl 'open()' command to be executed.

Manual Testing Notes

http://[target]/cgi-bin/awstats/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo| http://[target]/cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;%20touch%20evilfile;

References:

Vendor URL: http://awstats.sourceforge.net/ Vendor Specific News/Changelog Entry: http://awstats.sourceforge.net/docs/awstats_changelog.txt Secunia Advisory ID:13893 Secunia Advisory ID:14007 Other Advisory URL: http://security.gentoo.org/glsa/glsa-200501-36.xml Other Advisory URL: http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities Other Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2005-006.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-01/0288.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0258.html CVE-2005-0116 CERT VU: 272296