This is a multi-part message in MIME format.
--------------080000080303060208000608
Content-Type: text/plain; charset=Big5
Content-Transfer-Encoding: 7bit
2005/02/03, wiki.debian.org.tw was hax0red by aneurysm.inc who
is a cracker from Brasil. He successful changed several web pages
on the host, but failed to bind a shell or install a trojan. He
filed a defacement on zone-h.org. http://www.zone-h.org/en/defacements/view/id=2038714/
I notified that Joey did a NUM with patch from Ubuntu 20 days ago,
but the patch did not addressed all vulnerabilities. There is
another input validation vulnerability. The "pluginmode" parameter
can be exploited in a call to the perl routine eval() which allows
attackers to execute arbitrary commands.
You can see on line 5660-5666 of awstats.pl 6.2. An attacker can prefix
arbitrary commands with the ':system(cmd)' or ';system(cmd)' through a
URI parameter. The attachment is my quick and dirty workaround patch.
5659 # AWStats output is replaced by a plugin output
5660 if ($PluginMode) {
5661 my $function="BuildFullHTMLOutput_$PluginMode()";
5662 eval("$function");
5663 if ($? || $@) { error("$@"); }
5664 &html_end(0);
5665 exit 0;
5666 }
Please
* announce a DSA.
* upgrade to awstats 6.3 ASAP.
Message-ID: <email address hidden>
Date: Sun, 06 Feb 2005 06:52:24 +0800
From: Rex Tsai <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>, <email address hidden>,
Jonas Smedegaard <email address hidden>
Subject: AWStats Multiple Unspecified Remote Input Validation Vulnerabilities
------- ------- enig4FAB83D420C 715AD24216414 "------ ------080000080 303060208000608 "
Content-Type: multipart/mixed;
boundary=
This is a multi-part message in MIME format. ------- 080000080303060 208000608 Transfer- Encoding: 7bit
-------
Content-Type: text/plain; charset=Big5
Content-
2005/02/03, wiki.debian.org.tw was hax0red by aneurysm.inc who www.zone- h.org/en/ defacements/ view/id= 2038714/
is a cracker from Brasil. He successful changed several web pages
on the host, but failed to bind a shell or install a trojan. He
filed a defacement on zone-h.org.
http://
I notified that Joey did a NUM with patch from Ubuntu 20 days ago,
but the patch did not addressed all vulnerabilities. There is
another input validation vulnerability. The "pluginmode" parameter
can be exploited in a call to the perl routine eval() which allows
attackers to execute arbitrary commands.
You can see on line 5660-5666 of awstats.pl 6.2. An attacker can prefix
arbitrary commands with the ':system(cmd)' or ';system(cmd)' through a
URI parameter. The attachment is my quick and dirty workaround patch.
5659 # AWStats output is replaced by a plugin output "BuildFullHTMLO utput_$ PluginMode( )";
5660 if ($PluginMode) {
5661 my $function=
5662 eval("$function");
5663 if ($? || $@) { error("$@"); }
5664 &html_end(0);
5665 exit 0;
5666 }
Please
* announce a DSA.
* upgrade to awstats 6.3 ASAP.
Best Regards
-Rex
------- ------- 080000080303060 208000608 Transfer- Encoding: base64 Disposition: inline;
Content-Type: text/plain;
name="diff"
Content-
Content-
filename="diff"
LS0tIGF3c3RhdHM ucGwJMjAwNS0wMi 0wNiAwNjowNTo1N C4wMDAwMDAwMDAg KzA4MDAKKysr ub3JpZwkyMDA0LT EwLTMxIDAyOjAyO jI0LjAwMDAwMDAw MCArMDgwMApA 1MzMzLDggQEAKIA ogCWlmICgkUXVlc nlTdHJpbmcgPX4g L2NvbmZpZz0o JCXsgJFNpdGVDb2 5maWc9JkRlY29kZ UVuY29kZWRTdHJp bmcoIiQxIik7 1ZXJ5U3RyaW5nID 1+IC9kaXJpY29uc z0oW14mXSspL2kp CQkJeyAkRGly kZUVuY29kZWRTdH JpbmcoIiQxIik7I H0KLQlpZiAoJFF1 ZXJ5U3RyaW5n tb2RlPShbXiZdKy kvaSkJCQl7ICRQb HVnaW5Nb2RlPSZE ZWNvZGVFbmNv kMSIpOyAkUGx1Z2 luTW9kZSA9fiBzL 1teXHdfXC1cXFwv XC5cc10vL2d9 yeVN0cmluZyA9fi AvY29uZmlnZGlyP ShbXiZdKykvaSkJ CQl7ICREaXJD kZUVuY29kZWRTdH JpbmcoIiQxIik7I CREaXJDb25maWcg PX4gcy9bXlx3 dLy9nIH0KKwlpZi AoJFF1ZXJ5U3Rya W5nID1+ IC9wbHVnaW5tb2R lPShb 7ICRQbHVnaW5Nb2 RlPSZEZWNvZGVFb mNvZGVkU3RyaW5n KCIkMSIpOyB9 yeVN0cmluZyA9fi AvY29uZmlnZGlyP ShbXiZdKykvaSkJ CQl7ICREaXJD kZUVuY29kZWRTdH JpbmcoIiQxIik7I H0KIAkjIEFsbCBm aWx0ZXJzCiAJ 0cmluZyA9fiAvaG 9zdGZpbHRlcj0oW 14mXSspL2kpCQkJ eyAkRmlsdGVy mRGVjb2RlRW5jb2 RlZFN0cmluZygiJ DEiKTsgfQkJCSMg RmlsdGVyIG9u jYW4gYWxzbyBiZS BkZWZpbmVkIHdpd GggaG9zdGZpbHRl cj1maWx0ZXIK 5U3RyaW5nID1+ IC9ob3N0ZmlsdGV yZXg9KFteJl0rKS 9pKQkJeyAkRmls nfT0mRGVjb2RlRW 5jb2RlZFN0cmluZ ygiJDEiKTsgfQkJ CSMK ------- 080000080303060 208000608- -
IGF3c3RhdHMucGw
QCAtNTMzMyw4ICs
W14mXSspL2kpCQk
IH0KIAlpZiAoJFF
SWNvbnM9JkRlY29
ID1+IC9wbHVnaW5
ZGVkU3RyaW5nKCI
Ci0JaWYgKCRRdWV
b25maWc9JkRlY29
X1wtXFxcL1wuXHN
XiZdKykvaSkJCQl
CisJaWYgKCRRdWV
b25maWc9JkRlY29
aWYgKCRRdWVyeVN
SW57J2hvc3QnfT0
IGhvc3QgbGlzdCB
IAlpZiAoJFF1ZXJ
dGVyRXh7J2hvc3Q
-------
------- ------- enig4FAB83D420C 715AD24216414 pgp-signature; name="signature .asc" Description: OpenPGP digital signature Disposition: attachment; filename= "signature. asc"
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE----- enigmail. mozdev. org
Wbdx2/rkRAo1lAJ 4mX5VcA/ YnruHyJL4rggc0f 3jK2wCfXtUx Rr2BlmCU=
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://
iD8DBQFCBU4rOl4
sODIuKZZfinCbhY
=uBt3
-----END PGP SIGNATURE-----
------- ------- enig4FAB83D420C 715AD24216414- -