Bug#365910: [Pkg-awstats-devel] Bug#365910: AWStats: Malicious config
file shell code injection
Charles Fry
debian at frogcircus.org
Fri May 5 17:04:44 UTC 2006
> Source: http://www.osreviews.net/reviews/comm/awstats
>
> | Arbitrary code can be executed by uploading a specially crafted
> | configuration file if an attacker can put a file on the server with
> | chosen file name and content (e.g. by using an FTP account on a
> | shared hosting server). In this configuration file, the LogFile
> | directive can be used to execute shell code following a pipe
> | character. As above, an open call on unsanitized input is the source
> | of this vulnerability.
Thank you, Hendrik, for passing along this information.
In this case, this report doesn't appear to be an actual security
vulnerability. The configuration file needs to be placed in
/etc/awstats, /usr/local/etc/awstats, /etc, or /etc/opt/awstats. This
can not be done without having root access (nor can the current
configuration files be modified without root access). Someone with root
permissions can already execute shell code with broader permissions than
the webserver, so this "attack" seems like a non-issue to me.
cheers,
Charles
--
Hit 'em high
Hit 'em low
It's action rooters crave
Millions boast -- millions toast
The All-American shave
Burma-Shave
http://burma-shave.org/jingles/1933/hit_em_high2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/attachments/20060505/172ad31f/attachment.pgp
More information about the Pkg-awstats-devel
mailing list