Debian Bug report logs - #294488
awstats: Arbitrary command execution not completely fixed

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Celso Gonzalez <celso@bulma.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: awstats: Arbitrary command execution not completely fixed

Date: Wed, 09 Feb 2005 23:52:52 +0100

Package: awstats
Version: 6.2-1.1
Severity: grave
Tags: security
Justification: user security hole

The arbitrary command execution problem in the 6.2 release is composed
of several vulnerabilities.
Sarge and sid are afected

The two ones know as
-configdir
-update
are solved in this version but there is another one called
-pluginmode

And i have checked that the current version is vulnerable.
More information can be found on:
http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf

Thanks in advance

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)

Versions of packages awstats depends on:
ii  perl [libstorable-perl]       5.8.4-6    Larry Wall's Practical Extraction 

-- no debconf information

Message #10 received at 294488@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: 294488@bugs.debian.org, team@security.debian.org

Cc: control@bugs.debian.org

Subject: Ubuntu patch

Date: Fri, 11 Feb 2005 13:32:44 +0100

[Message part 1 (text/plain, inline)]

tag 294488 patch
thanks

Here is the patch used for the Ubuntu security update:

  http://patches.ubuntu.com/patches/awstats.more-CAN-2005-0016.diff

 awstats (6.2-1.1ubuntu1) hoary; urgency=low
 .
   * SECURITY UPDATE: fix more arbitrary command execution vulnerabilities
   * wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the
     "config", "pluginmode", "loadplugin", and "noloadplugin" parameters (which
     are defined by the remote user) to prevent execution of arbitrary shell
     commands through shell metacharacters.
   * References:
     similar to CAN-2005-0116
     http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf

Martin
-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 294488@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Martin Pitt <mpitt@debian.org>

Cc: 294488@bugs.debian.org, team@security.debian.org

Subject: Re: Ubuntu patch

Date: Fri, 11 Feb 2005 17:21:57 +0100

Thanks.

Martin Pitt wrote:
> Here is the patch used for the Ubuntu security update:
> 
>   http://patches.ubuntu.com/patches/awstats.more-CAN-2005-0016.diff

CAN-2005-0016 is the gatos problem Debian fixed in DSA 640

>  awstats (6.2-1.1ubuntu1) hoary; urgency=low
>  .
>    * SECURITY UPDATE: fix more arbitrary command execution vulnerabilities
>    * wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the
>      "config", "pluginmode", "loadplugin", and "noloadplugin" parameters (which
>      are defined by the remote user) to prevent execution of arbitrary shell
>      commands through shell metacharacters.
>    * References:
>      similar to CAN-2005-0116

CAN-2005-0116 does not apply to the stable Debian release
http://www.debian.org/security/nonvulns-woody#CAN-2005-0116

However, from the patch you provided, at least the "config" is part
of the version in woody so we'll have to issue an update I guess.

Regards,

	Joey

-- 
The good thing about standards is that there are so many to choose from.
		-- Andrew S. Tanenbaum

Message #22 received at 294488@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: 294488@bugs.debian.org

Subject: CVE ids

Date: Sat, 12 Feb 2005 11:02:56 +0100

Use CAN-2005-0362 for fixing *plugin* variables
Use CAN-2005-0363 for fixing the config variable

Regards,

	Joey

-- 
If you come from outside of Finland, you live in wrong country.
	-- motd of irc.funet.fi

Please always Cc to me when replying to me on the lists.

Message #29 received at 294488-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: 294488-close@bugs.debian.org

Subject: Bug#294488: fixed in awstats 6.3-1

Date: Wed, 16 Feb 2005 22:17:06 -0500

Source: awstats
Source-Version: 6.3-1

We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:

awstats_6.3-1.diff.gz
  to pool/main/a/awstats/awstats_6.3-1.diff.gz
awstats_6.3-1.dsc
  to pool/main/a/awstats/awstats_6.3-1.dsc
awstats_6.3-1_all.deb
  to pool/main/a/awstats/awstats_6.3-1_all.deb
awstats_6.3.orig.tar.gz
  to pool/main/a/awstats/awstats_6.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 294488@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated awstats package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  5 Feb 2005 17:13:48 +0100
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.3-1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 awstats    - powerful and featureful web server log analyzer
Closes: 291064 293668 293702 294488
Changes: 
 awstats (6.3-1) unstable; urgency=high
 .
   * New upstream release. Closes: bug#293702, #293668 (thanks to Nelson
     A. de Oliveira <naoliv@biolinux.df.ibilce.unesp.br>).
     + Includes upstream fix for security bug fixed in 6.2-1.1.
     + Includes upstream fix for most of security bug fixed in 6.2-1.1.
   * Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin
     Schulze <joey@infodrom.org>, Martin Pitt <mpitt@debian.org>, Ubuntu,
     Joey Hess <joeyh@debian.org>, Frank Lichtenheld <djpig@debian.org> and Steve
     Langasek <vorlon@debian.org>).
   * Include patch for last parts of security bug fixed in 6.2-1.1:
     01_sanitize_more.patch.
   * Patch (02) to include snapshot of recent development:
     + Fix security hole that allowed a user to read log file content
       even when plugin rawlog was not enabled.
     + Fix a possible use of AWStats for a DoS attack.
     + configdir option was broken on windows servers.
     + DebugMessages is by default set to 0 for security reasons.
     + Minor fixes.
   * References:
     CAN-2005-0435 - read server logs via loadplugin and pluginmode
     CAN-2005-0436 - code injection via PluginMode
     CAN-2005-0437 - directory traversal via loadplugin
     CAN-2005-0438 - information leak via debug
Files: 
 2dc54b77fee571afaba6074465ee79fb 577 web optional awstats_6.3-1.dsc
 edb73007530a5800d53b9f1f90c88053 938794 web optional awstats_6.3.orig.tar.gz
 daf739c6af548309a9724afaf2631a69 22093 web optional awstats_6.3-1.diff.gz
 bafc77369b5e40d31b4df2f6ab0920d4 725768 web optional awstats_6.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCFAagn7DbMsAkQLgRAhpOAJwKYtnURAoOq/P0xIttjMkPZLYQfACgocV7
R2oNSNdLPwJWHdDToQrCcJ8=
=ySLo
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.