lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20050811104545.GA9875@piware.de>
Date: Thu Aug 11 11:45:52 2005
From: martin.pitt at canonical.com (Martin Pitt)
Subject: Re: iDEFENSE Security Advisory 08.09.05: AWStats
	ShowInfoURL Remote Command Execution Vulnerability

Hi Laurent, hi iDEFENSE!

iDEFENSE Labs [2005-08-09 12:24 -0400]:
> Shown as follows, the $url parameter contains unfiltered user-supplied 
> data that is used in a call to the Perl routine eval() on lines 4841 
> and 4842 of awstats.pl (version 6.4):
> 
>      my $function="ShowInfoURL_$pluginname('$url')";
>      eval("$function");

Thanks for spotting this. Also, please note that you correctly state
that this vulnerable code is from 6.4

> iDEFENSE Labs has confirmed the existence of this vulnerability in 
> AWStats 6.3. All earlier versions are suspected vulnerable. AWStats 6.4 
> has been released since the initial research on this vulnerability. 
> AWStats 6.4 has replaced all eval() statements, and has mitigated the 
> exposure to this vulnerability.

6.4 still contains loads of eval() statements, and still seems
vulnerable against this flaw, since the quoted code hasn't changed at
all.

> This vulnerability has been addressed with the release of AWStats 6.4.

As far as I can see, it is not yet fixed even in upstream CVS in
awstats.pl.

  http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstats.pl

So am I totally confused and somehow this was fixed in a different
place (although I can't see how)? Or is this not yet fixed at all?

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050811/2a0e69ea/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ