Sunday, February 06, 2005

Awstats security hole - update

There is another vulnerability found in AWStats (version 5.7 through 6.2), which allows remote command execution even if the AllowToUpdateStatsFromBrowser flag has been set to 0.

This exploit causes arbitary commands to be executed by using 'pluginmode'. Here is an example:

Check out this code snippet that doesnt sanitize the input, thereby allowing for the above exploit to work.

Here is the ver 6.1 snippet:
# AWStats output is replaced by a plugin output>
if ($PluginMode) {

my $function="BuildFullHTMLOutput_$PluginMode()";
if ($? || $@) { error("$@"); }
exit 0;

Your options are pretty much limited at this time.
  1. Upgrade to AWstats version 6.3 or newer which might also require you to upgrade your Perl version to 5.00503 or higher
  2. Shutdown AWStats on your server (eeew - bad idea!)
  3. Resort to security by obscurity. Rename the file to some wierdo name like and hope that no one figures out the new name.
  4. If for any reason you cannot upgrade your Perl and/or AWstats, you could actually fix the file. Just sanitize the input before the eval("$function"). See above snippet.
Take you pick. If you choose option #4, do post the fix by adding a comment here. Thanks and Good luck!

Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

Copyright Anand Jain 2004, 2005. All rights reserved.