2005/02/03, wiki.debian.org.tw was hax0red by aneurysm.inc who
is a cracker from Brasil. He successful changed several web pages
on the host, but failed to bind a shell or install a trojan. He
filed a defacement on zone-h.org. http://www.zone-h.org/en/defacements/view/id=2038714/
I notified that Joey did a NUM with patch from Ubuntu 20 days ago,
but the patch did not addressed all vulnerabilities. There is
another input validation vulnerability. The "pluginmode" parameter
can be exploited in a call to the perl routine eval() which allows
attackers to execute arbitrary commands.
You can see on line 5660-5666 of awstats.pl 6.2. An attacker can prefix
arbitrary commands with the ':system(cmd)' or ';system(cmd)' through a
URI parameter. The attachment is my quick and dirty workaround patch.
5659 # AWStats output is replaced by a plugin output
5660 if ($PluginMode) {
5661 my $function="BuildFullHTMLOutput_$PluginMode()";
5662 eval("$function");
5663 if ($? || $@) { error("$@"); }
5664 &html_end(0);
5665 exit 0;
5666 }
Please
* announce a DSA.
* upgrade to awstats 6.3 ASAP.
2005/02/03, wiki.debian.org.tw was hax0red by aneurysm.inc who www.zone- h.org/en/ defacements/ view/id= 2038714/
is a cracker from Brasil. He successful changed several web pages
on the host, but failed to bind a shell or install a trojan. He
filed a defacement on zone-h.org.
http://
I notified that Joey did a NUM with patch from Ubuntu 20 days ago,
but the patch did not addressed all vulnerabilities. There is
another input validation vulnerability. The "pluginmode" parameter
can be exploited in a call to the perl routine eval() which allows
attackers to execute arbitrary commands.
You can see on line 5660-5666 of awstats.pl 6.2. An attacker can prefix
arbitrary commands with the ':system(cmd)' or ';system(cmd)' through a
URI parameter. The attachment is my quick and dirty workaround patch.
5659 # AWStats output is replaced by a plugin output "BuildFullHTMLO utput_$ PluginMode( )";
5660 if ($PluginMode) {
5661 my $function=
5662 eval("$function");
5663 if ($? || $@) { error("$@"); }
5664 &html_end(0);
5665 exit 0;
5666 }
Please
* announce a DSA.
* upgrade to awstats 6.3 ASAP.
Best Regards
-Rex