Bug#365910: [Pkg-awstats-devel] Bug#365910: AWStats: Malicious config file shell code injection

Charles Fry debian at frogcircus.org
Fri May 5 20:56:40 UTC 2006


> Exploit #2: http://www.example.com/cgi-bin/awstats.pl?configdir=/tmp
> with the attached file being placed in /tmp.

I see. So I assume that $LogFile must be run through Sanitize prior to
being opened, or at least checked for pipes?

I notcied the following related chunk of code:

    # Deny LogFile if contains a pipe and PurgeLogFile || ArchiveLogRecords set on
    if (($PurgeLogFile || $ArchiveLogRecords) && $LogFile =~ /\|\s*$/) {
        error("A pipe in log file name is not allowed if PurgeLogFile and ArchiveLogRecords are not set to 0");
    }

This suggests some previous thought about pipes. I'm trying to figure
out why they would ever be useful in a LogFile (since they are obviously
trying to account for them).

Is it correct to always deny pipes in LogFile?

Charles

-- 
A Christmas hug
A birthday kiss
Awaits
The woman
Who gives this
Burma-Shave
http://burma-shave.org/jingles/1940/a_christmas_hug
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/attachments/20060505/fe65d036/attachment.pgp


More information about the Pkg-awstats-devel mailing list