Bug#291064: AWStats Multiple Unspecified Remote Input Validation Vulnerabilities

[Rex Tsai]

  2005/02/03, wiki.debian.org.tw was hax0red by aneurysm.inc who
is a cracker from Brasil. He successful changed several web pages
on the host, but failed to bind a shell or install a trojan. He
filed a defacement on zone-h.org.
http://www.zone-h.org/en/defacements/view/id=2038714/

  I notified that Joey did a NUM with patch from Ubuntu 20 days ago,
but the patch did not addressed all vulnerabilities. There is
another input validation vulnerability. The "pluginmode" parameter
can be exploited in a call to the perl routine eval() which allows
attackers to execute arbitrary commands.

You can see on line 5660-5666 of awstats.pl 6.2. An attacker can prefix
arbitrary commands with the ':system(cmd)' or ';system(cmd)' through a
URI parameter. The attachment is my quick and dirty workaround patch.

  5659  # AWStats output is replaced by a plugin output
  5660  if ($PluginMode) {
  5661          my $function="BuildFullHTMLOutput_$PluginMode()";
  5662          eval("$function");
  5663          if ($? || $@) { error("$@"); }
  5664          &html_end(0);
  5665          exit 0;
  5666  }

Please
  * announce a DSA.
  * upgrade to awstats 6.3 ASAP.

Best Regards
-Rex

--- awstats.pl  2005-02-06 06:05:54.000000000 +0800
+++ awstats.pl.orig     2004-10-31 02:02:24.000000000 +0800
@@ -5333,8 +5333,8 @@
 
        if ($QueryString =~ /config=([^&]+)/i)                          { 
$SiteConfig=&DecodeEncodedString("$1"); }
        if ($QueryString =~ /diricons=([^&]+)/i)                        { 
$DirIcons=&DecodeEncodedString("$1"); }
-       if ($QueryString =~ /pluginmode=([^&]+)/i)                      { 
$PluginMode=&DecodeEncodedString("$1"); $PluginMode =~ s/[^\w_\-\\\/\.\s]//g}
-       if ($QueryString =~ /configdir=([^&]+)/i)                       { 
$DirConfig=&DecodeEncodedString("$1"); $DirConfig =~ s/[^\w_\-\\\/\.\s]//g }
+       if ($QueryString =~ /pluginmode=([^&]+)/i)                      { 
$PluginMode=&DecodeEncodedString("$1"); }
+       if ($QueryString =~ /configdir=([^&]+)/i)                       { 
$DirConfig=&DecodeEncodedString("$1"); }
        # All filters
        if ($QueryString =~ /hostfilter=([^&]+)/i)                      { 
$FilterIn{'host'}=&DecodeEncodedString("$1"); }                       # Filter 
on host list can also be defined with hostfilter=filter
        if ($QueryString =~ /hostfilterex=([^&]+)/i)            { 
$FilterEx{'host'}=&DecodeEncodedString("$1"); }                       #

signature.asc
Description: OpenPGP digital signature