BugTraq
AWStats <= 6.4 Multiple vulnerabilities Feb 14 2005 08:10AM
GHC@www.securityfocus.com,[ru]@securityfocus.com@www.securityfocus.com (foster ghc ru) (1 replies)
Re: AWStats <= 6.4 Multiple vulnerabilities Feb 15 2005 03:24PM
Ondra Holecek (bln deprese net) (1 replies)
Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Feb 15 2005 07:25PM
Jamie Pratt (jpratt norwich edu) (2 replies)
Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Feb 15 2005 09:00PM
twebster daksoft com
Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Feb 15 2005 07:52PM
Ondra Holecek (bln deprese net) (2 replies)
Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Feb 15 2005 09:38PM
Herman Sheremetyev (herman swebpage com) (1 replies)
Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Feb 15 2005 09:46PM
Jamie Pratt (jpratt norwich edu) (2 replies)
Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Feb 16 2005 08:52PM
Micah Brandon (brandon vv com) (1 replies)
Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Feb 17 2005 07:01PM
Matt Wilder (grewaru gmail com)
Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Feb 16 2005 02:47PM
Thom Craver (tcraver corp-com com)
Jamie Pratt wrote:

> Still no dice on 6.3, even with the "config=www.site.org" etc,etc..
> same error. So.. Can we all agree that 6.3 is not vulnerable, because
> I'd rather not upgrade to a dev/unstable release for no reason...

I can confirm the bug on 6.3 running Apache 2.0.52.

Furthermore, ANY system command inserted in the system() call can be
executed. This is a very serious bug. Unpriviledged user or not, with
an .rhosts file on a potential attacker's end, scp would work just
nicely, then a chmod, then execution of any script they wanted to upload.

This issue is not to be taken lightly.

Until this issue is resolved, we have commented out the Plugin lines:
# AWStats output is replaced by a plugin output
if ($PluginMode) {
my $function="BuildFullHTMLOutput_$PluginMode()";
eval("$function");
if ($? || $@) { error("$@"); }
&html_end(0);
exit 0;
}

If a plugin is called, it is apparently ignored and the stats are displayed.

--
Thom Craver
Corporate Communications, Inc.
www.corp-com.com
585.262.3430

[ reply ]
Re: AWStats <= 6.4 Multiple vulnerabilities - can't reproduce in 6.3? Feb 15 2005 09:23PM
Ondra Holecek (bln deprese net)


 

Privacy Statement
Copyright 2010, SecurityFocus