2005/02/03, wiki.debian.org.tw was hax0red by aneurysm.inc who is a cracker from Brasil. He successful changed several web pages on the host, but failed to bind a shell or install a trojan. He filed a defacement on zone-h.org. http://www.zone-h.org/en/defacements/view/id=2038714/
I notified that Joey did a NUM with patch from Ubuntu 20 days ago, but the patch did not addressed all vulnerabilities. There is another input validation vulnerability. The "pluginmode" parameter can be exploited in a call to the perl routine eval() which allows attackers to execute arbitrary commands. You can see on line 5660-5666 of awstats.pl 6.2. An attacker can prefix arbitrary commands with the ':system(cmd)' or ';system(cmd)' through a URI parameter. The attachment is my quick and dirty workaround patch. 5659 # AWStats output is replaced by a plugin output 5660 if ($PluginMode) { 5661 my $function="BuildFullHTMLOutput_$PluginMode()"; 5662 eval("$function"); 5663 if ($? || $@) { error("$@"); } 5664 &html_end(0); 5665 exit 0; 5666 } Please * announce a DSA. * upgrade to awstats 6.3 ASAP. Best Regards -Rex
--- awstats.pl 2005-02-06 06:05:54.000000000 +0800 +++ awstats.pl.orig 2004-10-31 02:02:24.000000000 +0800 @@ -5333,8 +5333,8 @@ if ($QueryString =~ /config=([^&]+)/i) { $SiteConfig=&DecodeEncodedString("$1"); } if ($QueryString =~ /diricons=([^&]+)/i) { $DirIcons=&DecodeEncodedString("$1"); } - if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&DecodeEncodedString("$1"); $PluginMode =~ s/[^\w_\-\\\/\.\s]//g} - if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&DecodeEncodedString("$1"); $DirConfig =~ s/[^\w_\-\\\/\.\s]//g } + if ($QueryString =~ /pluginmode=([^&]+)/i) { $PluginMode=&DecodeEncodedString("$1"); } + if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&DecodeEncodedString("$1"); } # All filters if ($QueryString =~ /hostfilter=([^&]+)/i) { $FilterIn{'host'}=&DecodeEncodedString("$1"); } # Filter on host list can also be defined with hostfilter=filter if ($QueryString =~ /hostfilterex=([^&]+)/i) { $FilterEx{'host'}=&DecodeEncodedString("$1"); } #
signature.asc
Description: OpenPGP digital signature