lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri Aug 12 00:12:04 2005
From: eldy at users.sourceforge.net (Laurent Destailleur (Eldy))
Subject: Re: iDEFENSE Security Advisory 08.09.05: AWStats
 ShowInfoURL Remote Command Execution Vulnerability

Martin Pitt wrote:

>Hi Laurent, hi iDEFENSE!
>
>  
>
The eval function still exists, however parameters inside has been 
sanitized, this explain the known exploits does not works any more now. 
However, may be there is still a way to crack this (despite sanitizing) 
but i can't "see" how for the moment.
To be sure, i decided to completely remove the "eval" function with 6.5 
that is in beta but i consider 6.4 safe (until a way to hack the 
sanitizing is found).

>iDEFENSE Labs [2005-08-09 12:24 -0400]:
>  
>
>>Shown as follows, the $url parameter contains unfiltered user-supplied 
>>data that is used in a call to the Perl routine eval() on lines 4841 
>>and 4842 of awstats.pl (version 6.4):
>>
>>     my $function="ShowInfoURL_$pluginname('$url')";
>>     eval("$function");
>>    
>>
>
>Thanks for spotting this. Also, please note that you correctly state
>that this vulnerable code is from 6.4
>
>  
>
>>iDEFENSE Labs has confirmed the existence of this vulnerability in 
>>AWStats 6.3. All earlier versions are suspected vulnerable. AWStats 6.4 
>>has been released since the initial research on this vulnerability. 
>>AWStats 6.4 has replaced all eval() statements, and has mitigated the 
>>exposure to this vulnerability.
>>    
>>
>
>6.4 still contains loads of eval() statements, and still seems
>vulnerable against this flaw, since the quoted code hasn't changed at
>all.
>
>  
>
>>This vulnerability has been addressed with the release of AWStats 6.4.
>>    
>>
>
>As far as I can see, it is not yet fixed even in upstream CVS in
>awstats.pl.
>
>  http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstats.pl
>
>So am I totally confused and somehow this was fixed in a different
>place (although I can't see how)? Or is this not yet fixed at all?
>
>Thanks,
>
>Martin
>
>  
>


-- 
Laurent Destailleur.
---------------------------------------------------------------
EMail: eldy@...rs.sourceforge.net
Instant messenger: ICQ=89306207, Jabber=Eldy
Web: http://www.destailleur.fr
AWStats: http://awstats.sourceforge.net
CVSChangeLogBuilder: http://cvschangelogb.sourceforge.net
AWBot: http://awbot.sourceforge.net
Dolibarr: http//dolibarr.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ