Bug#365909: [Pkg-awstats-devel] Bug#365909: AWStats: Shell code
injection via 'migrate'
Charles Fry
debian at frogcircus.org
Fri May 5 17:11:44 UTC 2006
> Source: http://www.osreviews.net/reviews/comm/awstats
>
> | If the update of the stats via web front-end is allowed, a remote
> | attacker can execute arbitrary code on the server using a specially
> | crafted request involving the migrate parameter. Input starting with
> | a pipe character ("|") leads to an insecure call to Perl's open
> | function and the rest of the input being executed in a shell. The
> | code is run in the context of the process running the AWStats CGI.
>
> Note that AllowToUpdateStatsFromBrowser, which is required for
> successful exploitation is disabled by default.
This one is indeed a bug, which is fixed in version 6.6.
Eldy, since we need to patch fixes for this bug into previously released
versions of the Debian awstats package, can you please confirm the exact
change required to fix this?
A cursory overview of version 6.5 and 6.6 suggests that we need to
change:
$MigrateStats=&DecodeEncodedString("$2");
to:
$MigrateStats=&Sanitize(&DecodeEncodedString("$2"));
Is that correct?
thanks,
Charles
--
The more
You shave
The brushless way
The more you'll be
Inclined to say--
Burma-Shave
http://burma-shave.org/jingles/1948/the_more
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/attachments/20060505/6c2bf1ac/attachment.pgp
More information about the Pkg-awstats-devel
mailing list