[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Re: iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability

To: Martin Pitt <martin.pitt@xxxxxxxxxxxxx>
Subject: [Full-disclosure] Re: iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability
From: "Laurent Destailleur (Eldy)" <eldy@xxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 12 Aug 2005 00:22:59 +0200

Martin Pitt wrote:

Hi Laurent, hi iDEFENSE!

The eval function still exists, however parameters inside has been sanitized, this explain the known exploits does not works any more now. However, may be there is still a way to crack this (despite sanitizing) but i can't "see" how for the moment. To be sure, i decided to completely remove the "eval" function with 6.5 that is in beta but i consider 6.4 safe (until a way to hack the sanitizing is found).

iDEFENSE Labs [2005-08-09 12:24 -0400]:

Shown as follows, the $url parameter contains unfiltered user-supplied data that is used in a call to the Perl routine eval() on lines 4841 and 4842 of awstats.pl (version 6.4):

my $function="ShowInfoURL_$pluginname('$url')"; eval("$function");
Thanks for spotting this. Also, please note that you correctly state
that this vulnerable code is from 6.4
iDEFENSE Labs has confirmed the existence of this vulnerability in AWStats 6.3. All earlier versions are suspected vulnerable. AWStats 6.4 has been released since the initial research on this vulnerability. AWStats 6.4 has replaced all eval() statements, and has mitigated the exposure to this vulnerability.
6.4 still contains loads of eval() statements, and still seems
vulnerable against this flaw, since the quoted code hasn't changed at
all.
This vulnerability has been addressed with the release of AWStats 6.4.
As far as I can see, it is not yet fixed even in upstream CVS in
awstats.pl.
 
http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstats.pl
So am I totally confused and somehow this was fixed in a different
place (although I can't see how)? Or is this not yet fixed at all?
Thanks,
Martin

--
Laurent Destailleur.
---------------------------------------------------------------
EMail: eldy@xxxxxxxxxxxxxxxxxxxxx
Instant messenger: ICQ=89306207, Jabber=Eldy
Web: http://www.destailleur.fr
AWStats: http://awstats.sourceforge.net
CVSChangeLogBuilder: http://cvschangelogb.sourceforge.net
AWBot: http://awbot.sourceforge.net
Dolibarr: http//dolibarr.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability
  - From: iDEFENSE Labs
- [Full-disclosure] Re: iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability
  - From: Martin Pitt

Prev by Date: [Full-disclosure] Re: Help put a stop to incompetentcomputerforensics
Next by Date: [Full-disclosure] Bluetooth: Theft of Link Keys for Fun and Profit?
Previous by thread: [Full-disclosure] Re: iDEFENSE Security Advisory 08.09.05: AWStats ShowInfoURL Remote Command Execution Vulnerability
Next by thread: [Full-disclosure] RE: New Worm?
Index(es):
- Date
- Thread