Comment 18 for bug 12019

Message-ID: <email address hidden>
Date: Sun, 06 Feb 2005 06:52:24 +0800
From: Rex Tsai <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>, <email address hidden>,
 Jonas Smedegaard <email address hidden>
Subject: AWStats Multiple Unspecified Remote Input Validation Vulnerabilities

--------------enig4FAB83D420C715AD24216414
Content-Type: multipart/mixed;
 boundary="------------080000080303060208000608"

This is a multi-part message in MIME format.
--------------080000080303060208000608
Content-Type: text/plain; charset=Big5
Content-Transfer-Encoding: 7bit

  2005/02/03, wiki.debian.org.tw was hax0red by aneurysm.inc who
is a cracker from Brasil. He successful changed several web pages
on the host, but failed to bind a shell or install a trojan. He
filed a defacement on zone-h.org.
http://www.zone-h.org/en/defacements/view/id=2038714/

  I notified that Joey did a NUM with patch from Ubuntu 20 days ago,
but the patch did not addressed all vulnerabilities. There is
another input validation vulnerability. The "pluginmode" parameter
can be exploited in a call to the perl routine eval() which allows
attackers to execute arbitrary commands.

You can see on line 5660-5666 of awstats.pl 6.2. An attacker can prefix
arbitrary commands with the ':system(cmd)' or ';system(cmd)' through a
URI parameter. The attachment is my quick and dirty workaround patch.

  5659 # AWStats output is replaced by a plugin output
  5660 if ($PluginMode) {
  5661 my $function="BuildFullHTMLOutput_$PluginMode()";
  5662 eval("$function");
  5663 if ($? || $@) { error("$@"); }
  5664 &html_end(0);
  5665 exit 0;
  5666 }

Please
  * announce a DSA.
  * upgrade to awstats 6.3 ASAP.

Best Regards
-Rex

--------------080000080303060208000608
Content-Type: text/plain;
 name="diff"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="diff"

LS0tIGF3c3RhdHMucGwJMjAwNS0wMi0wNiAwNjowNTo1NC4wMDAwMDAwMDAgKzA4MDAKKysr
IGF3c3RhdHMucGwub3JpZwkyMDA0LTEwLTMxIDAyOjAyOjI0LjAwMDAwMDAwMCArMDgwMApA
QCAtNTMzMyw4ICs1MzMzLDggQEAKIAogCWlmICgkUXVlcnlTdHJpbmcgPX4gL2NvbmZpZz0o
W14mXSspL2kpCQkJCXsgJFNpdGVDb25maWc9JkRlY29kZUVuY29kZWRTdHJpbmcoIiQxIik7
IH0KIAlpZiAoJFF1ZXJ5U3RyaW5nID1+IC9kaXJpY29ucz0oW14mXSspL2kpCQkJeyAkRGly
SWNvbnM9JkRlY29kZUVuY29kZWRTdHJpbmcoIiQxIik7IH0KLQlpZiAoJFF1ZXJ5U3RyaW5n
ID1+IC9wbHVnaW5tb2RlPShbXiZdKykvaSkJCQl7ICRQbHVnaW5Nb2RlPSZEZWNvZGVFbmNv
ZGVkU3RyaW5nKCIkMSIpOyAkUGx1Z2luTW9kZSA9fiBzL1teXHdfXC1cXFwvXC5cc10vL2d9
Ci0JaWYgKCRRdWVyeVN0cmluZyA9fiAvY29uZmlnZGlyPShbXiZdKykvaSkJCQl7ICREaXJD
b25maWc9JkRlY29kZUVuY29kZWRTdHJpbmcoIiQxIik7ICREaXJDb25maWcgPX4gcy9bXlx3
X1wtXFxcL1wuXHNdLy9nIH0KKwlpZiAoJFF1ZXJ5U3RyaW5nID1+IC9wbHVnaW5tb2RlPShb
XiZdKykvaSkJCQl7ICRQbHVnaW5Nb2RlPSZEZWNvZGVFbmNvZGVkU3RyaW5nKCIkMSIpOyB9
CisJaWYgKCRRdWVyeVN0cmluZyA9fiAvY29uZmlnZGlyPShbXiZdKykvaSkJCQl7ICREaXJD
b25maWc9JkRlY29kZUVuY29kZWRTdHJpbmcoIiQxIik7IH0KIAkjIEFsbCBmaWx0ZXJzCiAJ
aWYgKCRRdWVyeVN0cmluZyA9fiAvaG9zdGZpbHRlcj0oW14mXSspL2kpCQkJeyAkRmlsdGVy
SW57J2hvc3QnfT0mRGVjb2RlRW5jb2RlZFN0cmluZygiJDEiKTsgfQkJCSMgRmlsdGVyIG9u
IGhvc3QgbGlzdCBjYW4gYWxzbyBiZSBkZWZpbmVkIHdpdGggaG9zdGZpbHRlcj1maWx0ZXIK
IAlpZiAoJFF1ZXJ5U3RyaW5nID1+IC9ob3N0ZmlsdGVyZXg9KFteJl0rKS9pKQkJeyAkRmls
dGVyRXh7J2hvc3QnfT0mRGVjb2RlRW5jb2RlZFN0cmluZygiJDEiKTsgfQkJCSMK
--------------080000080303060208000608--

--------------enig4FAB83D420C715AD24216414
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCBU4rOl4Wbdx2/rkRAo1lAJ4mX5VcA/YnruHyJL4rggc0f3jK2wCfXtUx
sODIuKZZfinCbhYRr2BlmCU=
=uBt3
-----END PGP SIGNATURE-----

--------------enig4FAB83D420C715AD24216414--