Arbitrary command execution
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
awstats (Debian) |
Fix Released
|
Unknown
|
|||
awstats (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #291064 http://
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Tue, 18 Jan 2005 15:25:00 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: Arbitrary command execution
Package: awstats
Version: 6.2-1
Severity: grave
Tags: security sarge sid patch
Please see this advisory at iDEFENSE for details
http://
VI. VENDOR RESPONSE
This vulnerability is addressed in AWStats 6.3, available for download
The version in woody is not affected by this problem.
Regards,
Joey
--
Ten years and still binary compatible. -- XFree86
Please always Cc to me when replying to me on the lists.
In Debian Bug tracker #291064, Martin Schulze (joey-infodrom) wrote : CAN-2005-0116: Arbitrary command execution | #3 |
This problem has been assigned CAN-2005-0116:
URL: http://
Reference: IDEFENSE:20050117 AWStats Remote Command Execution Vulnerability
Reference: URL:http://
Reference: CONFIRM:http://
AWStats 6.1, and other versions before 6.3, allows remote attackers to
execute arbitrary commands via shell metacharacters in the configdir
parameter.
Please
. update the package in sid
. mention the CVE id from the subject in the changelog
. use priority=high
. no need to upload into sarge directly, except if the version in
sid is not meant to go into testing
Regards,
Joey
--
Ten years and still binary compatible. -- XFree86
Please always Cc to me when replying to me on the lists.
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 17:20:51 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: CAN-2005-0116: Arbitrary command execution
This problem has been assigned CAN-2005-0116:
URL: http://
Reference: IDEFENSE:20050117 AWStats Remote Command Execution Vulnerability
Reference: URL:http://
Reference: CONFIRM:http://
AWStats 6.1, and other versions before 6.3, allows remote attackers to
execute arbitrary commands via shell metacharacters in the configdir
parameter.
Please
. update the package in sid
. mention the CVE id from the subject in the changelog
. use priority=high
. no need to upload into sarge directly, except if the version in
sid is not meant to go into testing
Regards,
Joey
--
Ten years and still binary compatible. -- XFree86
Please always Cc to me when replying to me on the lists.
In Debian Bug tracker #291064, Browaeys-alban (browaeys-alban) wrote : iDefense alert | #5 |
merge 291064 291306
thanks
they all refers to the idense alert id 185
Ciao
Alban
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Thu, 20 Jan 2005 03:53:16 +0100
From: <email address hidden>
To: <email address hidden>
Subject: iDefense alert
merge 291064 291306
thanks
they all refers to the idense alert id 185
Ciao
Alban
Debian Bug Importer (debzilla) wrote : | #7 |
*** Bug 12066 has been marked as a duplicate of this bug. ***
In Debian Bug tracker #291064, Martin Pitt (pitti) wrote : Ubuntu patch | #8 |
tag 291064 patch
thanks
Hi!
FYI, I just fixed the Ubuntu package, you can get the debdiff from
http://
The upstream fix is much more invasive, I just did the necessary
changes to fix the vulnerability, nothing else.
Martin
--
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
Martin Pitt (pitti) wrote : | #9 |
Fixed in Hoary in 6.2-1ubuntu1. Fixed in Warty in 6.0-4ubuntu0.1. No USN though,
since Warty's awstats is in universe (Hoary's is in main).
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Thu, 20 Jan 2005 15:58:19 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Ubuntu patch
--wRRV7LY7NUeQGEoC
Content-Type: text/plain; charset=us-ascii
Content-
Content-
tag 291064 patch
thanks
Hi!
FYI, I just fixed the Ubuntu package, you can get the debdiff from
http://
The upstream fix is much more invasive, I just did the necessary
changes to fix the vulnerability, nothing else.
Martin
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
--wRRV7LY7NUeQGEoC
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB78cLDec
w+L49kQr7fQmLg6
=SBNU
-----END PGP SIGNATURE-----
--wRRV7LY7NUeQG
In Debian Bug tracker #291064, Joey Hess (joeyh) wrote : Fixed in NMU of awstats 6.2-1.1 | #11 |
tag 291064 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 20 Jan 2005 16:29:35 -0500
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.2-1.1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <email address hidden>
Changed-By: Joey Hess <email address hidden>
Description:
awstats - powerful and featureful web server log analyzer
Closes: 291064
Changes:
awstats (6.2-1.1) unstable; urgency=HIGH
.
* NMU with the following patch from Ubuntu. Closes: #291064
* SECURITY UPDATE: fix arbitrary command execution
* awstats/
the "configdir" parameter and the SiteConfig variable to prevent execution
of arbitrary shell commands when open()'ing them.
* References:
CAN-2005-0116
http://
Files:
fffb5cc23b2e3c
a6f4d0b2766e57
61f5e222c97463
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB8CPP2tp
czXEPNy80B1gHi0
=Y6zL
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #12 |
Message-Id: <email address hidden>
Date: Thu, 20 Jan 2005 16:47:03 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: Joey Hess <email address hidden>, Jonas Smedegaard <email address hidden>
Subject: Fixed in NMU of awstats 6.2-1.1
tag 291064 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 20 Jan 2005 16:29:35 -0500
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.2-1.1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <email address hidden>
Changed-By: Joey Hess <email address hidden>
Description:
awstats - powerful and featureful web server log analyzer
Closes: 291064
Changes:
awstats (6.2-1.1) unstable; urgency=HIGH
.
* NMU with the following patch from Ubuntu. Closes: #291064
* SECURITY UPDATE: fix arbitrary command execution
* awstats/
the "configdir" parameter and the SiteConfig variable to prevent execution
of arbitrary shell commands when open()'ing them.
* References:
CAN-2005-0116
http://
Files:
fffb5cc23b2e3c
a6f4d0b2766e57
61f5e222c97463
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB8CPP2tp
czXEPNy80B1gHi0
=Y6zL
-----END PGP SIGNATURE-----
In Debian Bug tracker #291064, Frank Lichtenheld (djpig) wrote : tagging 291064 | #13 |
# Automatically generated email from bts, devscripts version 2.8.5
tags 291064 - fixed sid
Debian Bug Importer (debzilla) wrote : | #14 |
Message-Id: <email address hidden>
Date: Fri, 21 Jan 2005 02:14:09 +0100
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 291064
# Automatically generated email from bts, devscripts version 2.8.5
tags 291064 - fixed sid
In Debian Bug tracker #291064, Steve Langasek (vorlon) wrote : fixed package has reached testing | #15 |
tags 291064 + sid fixed
thanks
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Fri, 21 Jan 2005 03:04:41 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: fixed package has reached testing
tags 291064 + sid fixed
thanks
In Debian Bug tracker #291064, Rex Tsai (chihchun) wrote : AWStats Multiple Unspecified Remote Input Validation Vulnerabilities | #17 |
2005/02/03, wiki.debian.org.tw was hax0red by aneurysm.inc who
is a cracker from Brasil. He successful changed several web pages
on the host, but failed to bind a shell or install a trojan. He
filed a defacement on zone-h.org.
http://
I notified that Joey did a NUM with patch from Ubuntu 20 days ago,
but the patch did not addressed all vulnerabilities. There is
another input validation vulnerability. The "pluginmode" parameter
can be exploited in a call to the perl routine eval() which allows
attackers to execute arbitrary commands.
You can see on line 5660-5666 of awstats.pl 6.2. An attacker can prefix
arbitrary commands with the ':system(cmd)' or ';system(cmd)' through a
URI parameter. The attachment is my quick and dirty workaround patch.
5659 # AWStats output is replaced by a plugin output
5660 if ($PluginMode) {
5661 my $function=
5662 eval("$function");
5663 if ($? || $@) { error("$@"); }
5664 &html_end(0);
5665 exit 0;
5666 }
Please
* announce a DSA.
* upgrade to awstats 6.3 ASAP.
Best Regards
-Rex
Debian Bug Importer (debzilla) wrote : | #18 |
Message-ID: <email address hidden>
Date: Sun, 06 Feb 2005 06:52:24 +0800
From: Rex Tsai <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>, <email address hidden>,
Jonas Smedegaard <email address hidden>
Subject: AWStats Multiple Unspecified Remote Input Validation Vulnerabilities
-------
Content-Type: multipart/mixed;
boundary=
This is a multi-part message in MIME format.
-------
Content-Type: text/plain; charset=Big5
Content-
2005/02/03, wiki.debian.org.tw was hax0red by aneurysm.inc who
is a cracker from Brasil. He successful changed several web pages
on the host, but failed to bind a shell or install a trojan. He
filed a defacement on zone-h.org.
http://
I notified that Joey did a NUM with patch from Ubuntu 20 days ago,
but the patch did not addressed all vulnerabilities. There is
another input validation vulnerability. The "pluginmode" parameter
can be exploited in a call to the perl routine eval() which allows
attackers to execute arbitrary commands.
You can see on line 5660-5666 of awstats.pl 6.2. An attacker can prefix
arbitrary commands with the ':system(cmd)' or ';system(cmd)' through a
URI parameter. The attachment is my quick and dirty workaround patch.
5659 # AWStats output is replaced by a plugin output
5660 if ($PluginMode) {
5661 my $function=
5662 eval("$function");
5663 if ($? || $@) { error("$@"); }
5664 &html_end(0);
5665 exit 0;
5666 }
Please
* announce a DSA.
* upgrade to awstats 6.3 ASAP.
Best Regards
-Rex
-------
Content-Type: text/plain;
name="diff"
Content-
Content-
filename="diff"
LS0tIGF3c3RhdHM
IGF3c3RhdHMucGw
QCAtNTMzMyw4ICs
W14mXSspL2kpCQk
IH0KIAlpZiAoJFF
SWNvbnM9JkRlY29
ID1+IC9wbHVnaW5
ZGVkU3RyaW5nKCI
Ci0JaWYgKCRRdWV
b25maWc9JkRlY29
X1wtXFxcL1wuXHN
XiZdKykvaSkJCQl
CisJaWYgKCRRdWV
b25maWc9JkRlY29
aWYgKCRRdWVyeVN
SW57J2hvc3QnfT0
IGhvc3QgbGlzdCB
IAlpZiAoJFF1ZXJ
In Debian Bug tracker #291064, Jonas Smedegaard (dr) wrote : Bug#291064: fixed in awstats 6.3-1 | #19 |
Source: awstats
Source-Version: 6.3-1
We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:
awstats_
to pool/main/
awstats_6.3-1.dsc
to pool/main/
awstats_
to pool/main/
awstats_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <email address hidden> (supplier of updated awstats package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 5 Feb 2005 17:13:48 +0100
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.3-1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <email address hidden>
Changed-By: Jonas Smedegaard <email address hidden>
Description:
awstats - powerful and featureful web server log analyzer
Closes: 291064 293668 293702 294488
Changes:
awstats (6.3-1) unstable; urgency=high
.
* New upstream release. Closes: bug#293702, #293668 (thanks to Nelson
A. de Oliveira <email address hidden>).
+ Includes upstream fix for security bug fixed in 6.2-1.1.
+ Includes upstream fix for most of security bug fixed in 6.2-1.1.
* Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin
Schulze <email address hidden>, Martin Pitt <email address hidden>, Ubuntu,
Joey Hess <email address hidden>, Frank Lichtenheld <email address hidden> and Steve
Langasek <email address hidden>).
* Include patch for last parts of security bug fixed in 6.2-1.1:
01_
* Patch (02) to include snapshot of recent development:
+ Fix security hole that allowed a user to read log file content
even when plugin rawlog was not enabled.
+ Fix a possible use of AWStats for a DoS attack.
+ configdir option was broken on windows servers.
+ DebugMessages is by default set to 0 for security reasons.
+ Minor fixes.
* References:
CAN-2005-0435 - read server logs via loadplugin and pluginmode
CAN-2005-0436 - code injection via PluginMode
CAN-2005-0437 - directory traversal via loadplugin
CAN-2005-0438 - information leak via debug
Files:
2dc54b77fee571
edb73007530a58
daf739c6af5483
bafc77369b5e40
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCFAagn7D
R2oNSNdLPwJWHdD
=ySLo
-----E...
Debian Bug Importer (debzilla) wrote : | #20 |
Message-Id: <email address hidden>
Date: Wed, 16 Feb 2005 22:17:06 -0500
From: Jonas Smedegaard <email address hidden>
To: <email address hidden>
Subject: Bug#291064: fixed in awstats 6.3-1
Source: awstats
Source-Version: 6.3-1
We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:
awstats_
to pool/main/
awstats_6.3-1.dsc
to pool/main/
awstats_
to pool/main/
awstats_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <email address hidden> (supplier of updated awstats package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 5 Feb 2005 17:13:48 +0100
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.3-1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <email address hidden>
Changed-By: Jonas Smedegaard <email address hidden>
Description:
awstats - powerful and featureful web server log analyzer
Closes: 291064 293668 293702 294488
Changes:
awstats (6.3-1) unstable; urgency=high
.
* New upstream release. Closes: bug#293702, #293668 (thanks to Nelson
A. de Oliveira <email address hidden>).
+ Includes upstream fix for security bug fixed in 6.2-1.1.
+ Includes upstream fix for most of security bug fixed in 6.2-1.1.
* Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin
Schulze <email address hidden>, Martin Pitt <email address hidden>, Ubuntu,
Joey Hess <email address hidden>, Frank Lichtenheld <email address hidden> and Steve
Langasek <email address hidden>).
* Include patch for last parts of security bug fixed in 6.2-1.1:
01_
* Patch (02) to include snapshot of recent development:
+ Fix security hole that allowed a user to read log file content
even when plugin rawlog was not enabled.
+ Fix a possible use of AWStats for a DoS attack.
+ configdir option was broken on windows servers.
+ DebugMessages is by default set to 0 for security reasons.
+ Minor fixes.
* References:
CAN-2005-0435 - read server logs via loadplugin and pluginmode
CAN-2005-0436 - code injection via PluginMode
CAN-2005-0437 - directory traversal via loadplugin
CAN-2005-0438 - information leak via debug
Files:
2dc54b77fee571
edb73007530a58
daf739c6af5483
bafc77369b5e40
In Debian Bug tracker #291064, Jonas Smedegaard (dr) wrote : BTS corrections after security upload of awstats | #21 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
reopen 291064,294488, 293668
tags 291064 - sid
tags 294488 + sarge
thanks
The BTS wrongly closes bugs tagged for package pools unrelated to the
upload, so reopen and make sure they are tagged "sarge" and not "sid".
Also, one of the security bugs (#291064) was wrongly replaced with a
lessdisks bug (#293668), so reopen that as well.
- Jonas
- --
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136 Website: http://
- Enden er nær: http://
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://
iD8DBQFCFIwHn7D
vsSJjAV4S8joslt
=syaH
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #22 |
Message-ID: <email address hidden>
Date: Thu, 17 Feb 2005 13:20:23 +0100
From: Jonas Smedegaard <email address hidden>
To: <email address hidden>
Subject: BTS corrections after security upload of awstats
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
reopen 291064,294488, 293668
tags 291064 - sid
tags 294488 + sarge
thanks
The BTS wrongly closes bugs tagged for package pools unrelated to the
upload, so reopen and make sure they are tagged "sarge" and not "sid".
Also, one of the security bugs (#291064) was wrongly replaced with a
lessdisks bug (#293668), so reopen that as well.
- Jonas
- --
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136 Website: http://
- Enden er n=E6r: http://
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://
iD8DBQFCFIwHn7D
vsSJjAV4S8joslt
=3DsyaH
-----END PGP SIGNATURE-----
Changed in awstats: | |
status: | Unknown → Fix Released |
Automatically imported from Debian bug report #291064 http:// bugs.debian. org/291064