Sunday, February 06, 2005
Awstats security hole - update
There is another vulnerability found in AWStats (version 5.7 through 6.2), which allows remote command execution even if the AllowToUpdateStatsFromBrowser flag has been set to 0.
This exploit causes arbitary commands to be executed by using 'pluginmode'. Here is an example:
http://yourserver/cgi-bin/awstats.pl?pluginmode=:system("/bin/ls");
Check out this code snippet that doesnt sanitize the input, thereby allowing for the above exploit to work.
Here is the awstats.pl ver 6.1 snippet:
# AWStats output is replaced by a plugin output>
Your options are pretty much limited at this time.
This exploit causes arbitary commands to be executed by using 'pluginmode'. Here is an example:
http://yourserver/cgi-bin/awstats.pl?pluginmode=:system("/bin/ls");
Check out this code snippet that doesnt sanitize the input, thereby allowing for the above exploit to work.
Here is the awstats.pl ver 6.1 snippet:
# AWStats output is replaced by a plugin output>
if ($PluginMode) {
my $function="BuildFullHTMLOutput_$PluginMode()";
eval("$function");
if ($? || $@) { error("$@"); }
&html_end(0);
exit 0;
}
Your options are pretty much limited at this time.
- Upgrade to AWstats version 6.3 or newer which might also require you to upgrade your Perl version to 5.00503 or higher
- Shutdown AWStats on your server (eeew - bad idea!)
- Resort to security by obscurity. Rename the awstats.pl file to some wierdo name like AyDablyouStats.pl and hope that no one figures out the new name.
- If for any reason you cannot upgrade your Perl and/or AWstats, you could actually fix the awstats.pl file. Just sanitize the input before the eval("$function"). See above snippet.
Copyright Anand Jain 2004, 2005. All rights
reserved.
Webmaster
