Arbitrary command execution

Automatically imported from Debian bug report #291064 http://bugs.debian.org/291064

Message-ID: <email address hidden>
Date: Tue, 18 Jan 2005 15:25:00 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: Arbitrary command execution

Package: awstats
Version: 6.2-1
Severity: grave
Tags: security sarge sid patch

Please see this advisory at iDEFENSE for details
http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false

   VI. VENDOR RESPONSE

   This vulnerability is addressed in AWStats 6.3, available for download

The version in woody is not affected by this problem.

Regards,

 Joey

--
Ten years and still binary compatible. -- XFree86

Please always Cc to me when replying to me on the lists.

Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 17:20:51 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: CAN-2005-0116: Arbitrary command execution

This problem has been assigned CAN-2005-0116:

URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0116

Reference: IDEFENSE:20050117 AWStats Remote Command Execution Vulnerability
Reference: URL:http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false
Reference: CONFIRM:http://awstats.sourceforge.net/docs/awstats_changelog.txt

AWStats 6.1, and other versions before 6.3, allows remote attackers to
execute arbitrary commands via shell metacharacters in the configdir
parameter.

Please
 . update the package in sid
 . mention the CVE id from the subject in the changelog
 . use priority=high
 . no need to upload into sarge directly, except if the version in
   sid is not meant to go into testing

Regards,

 Joey

--
Ten years and still binary compatible. -- XFree86

Please always Cc to me when replying to me on the lists.

Message-ID: <email address hidden>
Date: Thu, 20 Jan 2005 03:53:16 +0100
From: <email address hidden>
To: <email address hidden>
Subject: iDefense alert

merge 291064 291306
thanks

they all refers to the idense alert id 185

Ciao
Alban

*** Bug 12066 has been marked as a duplicate of this bug. ***

Fixed in Hoary in 6.2-1ubuntu1. Fixed in Warty in 6.0-4ubuntu0.1. No USN though,
since Warty's awstats is in universe (Hoary's is in main).

Message-ID: <email address hidden>
Date: Thu, 20 Jan 2005 15:58:19 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Ubuntu patch

--wRRV7LY7NUeQGEoC
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tag 291064 patch
thanks

Hi!

FYI, I just fixed the Ubuntu package, you can get the debdiff from

  http://patches.ubuntu.com/patches/awstats.CAN-2005-0016.diff

The upstream fix is much more invasive, I just did the necessary
changes to fix the vulnerability, nothing else.

Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--wRRV7LY7NUeQGEoC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB78cLDecnbV4Fd/IRAnsWAJ4qWu7o0yik7SMAYJL5MjbcfdfoKgCgjUPB
w+L49kQr7fQmLg6ik4yl29A=
=SBNU
-----END PGP SIGNATURE-----

--wRRV7LY7NUeQGEoC--

Message-Id: <email address hidden>
Date: Thu, 20 Jan 2005 16:47:03 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: Joey Hess <email address hidden>, Jonas Smedegaard <email address hidden>
Subject: Fixed in NMU of awstats 6.2-1.1

tag 291064 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 20 Jan 2005 16:29:35 -0500
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.2-1.1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <email address hidden>
Changed-By: Joey Hess <email address hidden>
Description:
 awstats - powerful and featureful web server log analyzer
Closes: 291064
Changes:
 awstats (6.2-1.1) unstable; urgency=HIGH
 .
   * NMU with the following patch from Ubuntu. Closes: #291064
   * SECURITY UPDATE: fix arbitrary command execution
   * awstats/wwwroot/cgi-bin/awstats.pl: remove all non-path characters from
     the "configdir" parameter and the SiteConfig variable to prevent execution
     of arbitrary shell commands when open()'ing them.
   * References:
     CAN-2005-0116
     http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities
Files:
 fffb5cc23b2e3c0ac82ce1fc4dee65d9 581 web optional awstats_6.2-1.1.dsc
 a6f4d0b2766e57cd5e516880141ceb46 14128 web optional awstats_6.2-1.1.diff.gz
 61f5e222c974635e3f722e1df0577d32 658544 web optional awstats_6.2-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB8CPP2tp5zXiKP0wRAvhXAKCoMcyVV8l9SrGKJyk+nEpNzw5wYgCglZ08
czXEPNy80B1gHi0j5qEoeAw=
=Y6zL
-----END PGP SIGNATURE-----

Message-Id: <email address hidden>
Date: Fri, 21 Jan 2005 02:14:09 +0100
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 291064

# Automatically generated email from bts, devscripts version 2.8.5
tags 291064 - fixed sid

Message-ID: <email address hidden>
Date: Fri, 21 Jan 2005 03:04:41 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: fixed package has reached testing

tags 291064 + sid fixed
thanks

Message-ID: <email address hidden>
Date: Sun, 06 Feb 2005 06:52:24 +0800
From: Rex Tsai <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>, <email address hidden>,
 Jonas Smedegaard <email address hidden>
Subject: AWStats Multiple Unspecified Remote Input Validation Vulnerabilities

--------------enig4FAB83D420C715AD24216414
Content-Type: multipart/mixed;
 boundary="------------080000080303060208000608"

This is a multi-part message in MIME format.
--------------080000080303060208000608
Content-Type: text/plain; charset=Big5
Content-Transfer-Encoding: 7bit

  2005/02/03, wiki.debian.org.tw was hax0red by aneurysm.inc who
is a cracker from Brasil. He successful changed several web pages
on the host, but failed to bind a shell or install a trojan. He
filed a defacement on zone-h.org.
http://www.zone-h.org/en/defacements/view/id=2038714/

  I notified that Joey did a NUM with patch from Ubuntu 20 days ago,
but the patch did not addressed all vulnerabilities. There is
another input validation vulnerability. The "pluginmode" parameter
can be exploited in a call to the perl routine eval() which allows
attackers to execute arbitrary commands.

You can see on line 5660-5666 of awstats.pl 6.2. An attacker can prefix
arbitrary commands with the ':system(cmd)' or ';system(cmd)' through a
URI parameter. The attachment is my quick and dirty workaround patch.

  5659 # AWStats output is replaced by a plugin output
  5660 if ($PluginMode) {
  5661 my $function="BuildFullHTMLOutput_$PluginMode()";
  5662 eval("$function");
  5663 if ($? || $@) { error("$@"); }
  5664 &html_end(0);
  5665 exit 0;
  5666 }

Please
  * announce a DSA.
  * upgrade to awstats 6.3 ASAP.

Best Regards
-Rex

--------------080000080303060208000608
Content-Type: text/plain;
 name="diff"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="diff"

LS0tIGF3c3RhdHMucGwJMjAwNS0wMi0wNiAwNjowNTo1NC4wMDAwMDAwMDAgKzA4MDAKKysr
IGF3c3RhdHMucGwub3JpZwkyMDA0LTEwLTMxIDAyOjAyOjI0LjAwMDAwMDAwMCArMDgwMApA
QCAtNTMzMyw4ICs1MzMzLDggQEAKIAogCWlmICgkUXVlcnlTdHJpbmcgPX4gL2NvbmZpZz0o
W14mXSspL2kpCQkJCXsgJFNpdGVDb25maWc9JkRlY29kZUVuY29kZWRTdHJpbmcoIiQxIik7
IH0KIAlpZiAoJFF1ZXJ5U3RyaW5nID1+IC9kaXJpY29ucz0oW14mXSspL2kpCQkJeyAkRGly
SWNvbnM9JkRlY29kZUVuY29kZWRTdHJpbmcoIiQxIik7IH0KLQlpZiAoJFF1ZXJ5U3RyaW5n
ID1+IC9wbHVnaW5tb2RlPShbXiZdKykvaSkJCQl7ICRQbHVnaW5Nb2RlPSZEZWNvZGVFbmNv
ZGVkU3RyaW5nKCIkMSIpOyAkUGx1Z2luTW9kZSA9fiBzL1teXHdfXC1cXFwvXC5cc10vL2d9
Ci0JaWYgKCRRdWVyeVN0cmluZyA9fiAvY29uZmlnZGlyPShbXiZdKykvaSkJCQl7ICREaXJD
b25maWc9JkRlY29kZUVuY29kZWRTdHJpbmcoIiQxIik7ICREaXJDb25maWcgPX4gcy9bXlx3
X1wtXFxcL1wuXHNdLy9nIH0KKwlpZiAoJFF1ZXJ5U3RyaW5nID1+IC9wbHVnaW5tb2RlPShb
XiZdKykvaSkJCQl7ICRQbHVnaW5Nb2RlPSZEZWNvZGVFbmNvZGVkU3RyaW5nKCIkMSIpOyB9
CisJaWYgKCRRdWVyeVN0cmluZyA9fiAvY29uZmlnZGlyPShbXiZdKykvaSkJCQl7ICREaXJD
b25maWc9JkRlY29kZUVuY29kZWRTdHJpbmcoIiQxIik7IH0KIAkjIEFsbCBmaWx0ZXJzCiAJ
aWYgKCRRdWVyeVN0cmluZyA9fiAvaG9zdGZpbHRlcj0oW14mXSspL2kpCQkJeyAkRmlsdGVy
SW57J2hvc3QnfT0mRGVjb2RlRW5jb2RlZFN0cmluZygiJDEiKTsgfQkJCSMgRmlsdGVyIG9u
IGhvc3QgbGlzdCBjYW4gYWxzbyBiZSBkZWZpbmVkIHdpdGggaG9zdGZpbHRlcj1maWx0ZXIK
IAlpZiAoJFF1ZXJ5U3Ry...

Message-Id: <email address hidden>
Date: Wed, 16 Feb 2005 22:17:06 -0500
From: Jonas Smedegaard <email address hidden>
To: <email address hidden>
Subject: Bug#291064: fixed in awstats 6.3-1

Source: awstats
Source-Version: 6.3-1

We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:

awstats_6.3-1.diff.gz
  to pool/main/a/awstats/awstats_6.3-1.diff.gz
awstats_6.3-1.dsc
  to pool/main/a/awstats/awstats_6.3-1.dsc
awstats_6.3-1_all.deb
  to pool/main/a/awstats/awstats_6.3-1_all.deb
awstats_6.3.orig.tar.gz
  to pool/main/a/awstats/awstats_6.3.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <email address hidden> (supplier of updated awstats package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 5 Feb 2005 17:13:48 +0100
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.3-1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <email address hidden>
Changed-By: Jonas Smedegaard <email address hidden>
Description:
 awstats - powerful and featureful web server log analyzer
Closes: 291064 293668 293702 294488
Changes:
 awstats (6.3-1) unstable; urgency=high
 .
   * New upstream release. Closes: bug#293702, #293668 (thanks to Nelson
     A. de Oliveira <email address hidden>).
     + Includes upstream fix for security bug fixed in 6.2-1.1.
     + Includes upstream fix for most of security bug fixed in 6.2-1.1.
   * Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin
     Schulze <email address hidden>, Martin Pitt <email address hidden>, Ubuntu,
     Joey Hess <email address hidden>, Frank Lichtenheld <email address hidden> and Steve
     Langasek <email address hidden>).
   * Include patch for last parts of security bug fixed in 6.2-1.1:
     01_sanitize_more.patch.
   * Patch (02) to include snapshot of recent development:
     + Fix security hole that allowed a user to read log file content
       even when plugin rawlog was not enabled.
     + Fix a possible use of AWStats for a DoS attack.
     + configdir option was broken on windows servers.
     + DebugMessages is by default set to 0 for security reasons.
     + Minor fixes.
   * References:
     CAN-2005-0435 - read server logs via loadplugin and pluginmode
     CAN-2005-0436 - code injection via PluginMode
     CAN-2005-0437 - directory traversal via loadplugin
     CAN-2005-0438 - information leak via debug
Files:
 2dc54b77fee571afaba6074465ee79fb 577 web optional awstats_6.3-1.dsc
 edb73007530a5800d53b9f1f90c88053 938794 web optional awstats_6.3.orig.tar.gz
 daf739c6af548309a9724afaf2631a69 22093 web optional awstats_6.3-1.diff.gz
 bafc77369b5e40d31b4df2f6ab0920d4 725768...

Message-ID: <email address hidden>
Date: Thu, 17 Feb 2005 13:20:23 +0100
From: Jonas Smedegaard <email address hidden>
To: <email address hidden>
Subject: BTS corrections after security upload of awstats

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

reopen 291064,294488, 293668
tags 291064 - sid
tags 294488 + sarge
thanks

The BTS wrongly closes bugs tagged for package pools unrelated to the
upload, so reopen and make sure they are tagged "sarge" and not "sid".

Also, one of the security bugs (#291064) was wrongly replaced with a
lessdisks bug (#293668), so reopen that as well.

 - Jonas

- --
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

 - Enden er n=E6r: http://www.shibumi.org/eoti.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCFIwHn7DbMsAkQLgRAmcLAKCFBrJYf+JzREfFkZGBQ1xwu1P22gCdGn45
vsSJjAV4S8josltTO0sHecM=3D
=3DsyaH
-----END PGP SIGNATURE-----