[Fwd: Re: Bug#365910: [Pkg-awstats-devel] Bug#365910: AWStats: Malicious config file shell code injection]

Laurent Destailleur (Eldy) eldy at users.sourceforge.net
Sat May 6 01:30:24 UTC 2006 

Charles Fry a écrit :
> Eldy,
>
> Can you please comment on the following report from
> http://www.osreviews.net/reviews/comm/awstats :
>
> | Arbitrary code can be executed by uploading a specially crafted
> | configuration file if an attacker can put a file on the server with
> | chosen file name and content (e.g. by using an FTP account on a
> | shared hosting server). In this configuration file, the LogFile
> | directive can be used to execute shell code following a pipe
> | character. As above, an open call on unsanitized input is the source
> | of this vulnerability.
>   
3 points:

1- It is said that migrate is not sanitized and can bu used to pass 
command when called by opne function.

Answer: It's true that migrate was not sanitized. So i changed this in 
6.6 but this parameter is never called by any open function. So i fixed 
this but even if not fixed I can't see where is hole as this parameter 
is never used as an "executable" variable by any open function.

2- Arbitrary code can be executed by uploading a specially crafted 
configuration file if an attacker can put a file on the server with 
chosen file name and content (e.g. by using an FTP account on a shared 
hosting server). In this configuration file, the LogFile directive can 
be used to execute shell code following a pipe character. As above, an 
open call on unsanitized input is the source of this vulnerability.

Answer: It's true that if a user is allowed to put a file on its web 
server in a directory alphabeta, by ftp, he can ask awstats to execute a 
command by the webserver through this file by adding parameter 
configdir=alphabeta meaning awstats will use the confi g file the user 
choosed. To fix this, you can change line

if ($configdir) { @PossibleConfigDir=("$configdir"); }
by
if ($configdir && $ENV{"AWSTATS_ENABLE_CONFIG_DIR"}) { 
@PossibleConfigDir=("$configdir"); }

By default AWSTATS_ENABLE_CONFIG_DIR is not defined in a web server 
environment, so overwriting configdir is not possible so even if user 
can ftp its own config file, he can't force awstats to read it.


3- This is fixed by line I put in AWStats 6.6:
$QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString));
instead of
$QueryString = CleanFromCSSA($QueryString);

Because the string is sanitized by CleanFromCSSA but if the CSS code is 
url encoded, the function does not see it. So we first have to url 
decode and only after, sanitize it.



Note FYI:
CleanFromCSSA sanitize strings against CSS attacks. It is used for all 
parameteres that are writed in html output.
Sanitize sanitize strings against command line pipe attacks. It must be 
used for all parameters that are used inside an "open" Perl function.


So conclusion and this will also answer a previous mail. To fix this now 
without waiting 6.6, what you must patch is:

Change line
$QueryString = CleanFromCSSA($QueryString);
into
$QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString));

And change line
if ($configdir) { @PossibleConfigDir=("$configdir"); }
by
if ($configdir && $ENV{"AWSTATS_ENABLE_CONFIG_DIR"}) { 
@PossibleConfigDir=("$configdir"); }



> thanks,
> Charles
>
> ----- Forwarded message from Hendrik Weimer <hendrik at enyo.de> -----
>
> From: Hendrik Weimer <hendrik at enyo.de>
> Subject: Re: Bug#365910: [Pkg-awstats-devel] Bug#365910: AWStats: Malicious config file shell code injection
> Date: Fri, 05 May 2006 19:44:10 +0200
> To: Charles Fry <debian at frogcircus.org>
> Cc: 365910 at bugs.debian.org
>
> Charles Fry <debian at frogcircus.org> writes:
>
>   
>> In this case, this report doesn't appear to be an actual security
>> vulnerability. The configuration file needs to be placed in
>> /etc/awstats, /usr/local/etc/awstats, /etc, or /etc/opt/awstats. This
>> can not be done without having root access (nor can the current
>> configuration files be modified without root access). Someone with root
>> permissions can already execute shell code with broader permissions than
>> the webserver, so this "attack" seems like a non-issue to me.
>>     
>
> Exploit #2: http://www.example.com/cgi-bin/awstats.pl?configdir=/tmp
> with the attached file being placed in /tmp.
>
> Hendrik
>
>
>
>
> ----- End forwarded message -----
>
>   


-- 
Laurent Destailleur.
---------------------------------------------------------------
EMail: eldy at users.sourceforge.net
Web: http://www.destailleur.fr
IM: IRC=Eldy, Jabber=Eldy

AWStats (Author) : http://awstats.sourceforge.net
Dolibarr (Contributor) : http//www.dolibarr.com
CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
AWBot (Author) : http://awbot.sourceforge.net

More information about the Pkg-awstats-devel mailing list