Debian Bug report logs - #294488
awstats: Arbitrary command execution not completely fixed

version graph

Package: awstats; Maintainer for awstats is Sergey B Kirpichev <skirpichev@gmail.com>; Source for awstats is src:awstats.

Reported by: Celso Gonzalez <celso@bulma.net>

Date: Wed, 9 Feb 2005 23:03:04 UTC

Severity: grave

Tags: fixed, patch, sarge, security

Found in version 6.2-1.1

Fixed in version awstats/6.3-1

Done: Jonas Smedegaard <dr@jones.dk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#294488; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Celso Gonzalez <celso@bulma.net>:
New Bug report received and forwarded. Copy sent to Jonas Smedegaard <dr@jones.dk>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Celso Gonzalez <celso@bulma.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: awstats: Arbitrary command execution not completely fixed
Date: Wed, 09 Feb 2005 23:52:52 +0100
Package: awstats
Version: 6.2-1.1
Severity: grave
Tags: security
Justification: user security hole

The arbitrary command execution problem in the 6.2 release is composed
of several vulnerabilities.
Sarge and sid are afected

The two ones know as
-configdir
-update
are solved in this version but there is another one called
-pluginmode

And i have checked that the current version is vulnerable.
More information can be found on:
http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf

Thanks in advance

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)

Versions of packages awstats depends on:
ii  perl [libstorable-perl]       5.8.4-6    Larry Wall's Practical Extraction 

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#294488; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>. Full text and rfc822 format available.

Message #10 received at 294488@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 294488@bugs.debian.org, team@security.debian.org
Cc: control@bugs.debian.org
Subject: Ubuntu patch
Date: Fri, 11 Feb 2005 13:32:44 +0100
[Message part 1 (text/plain, inline)]
tag 294488 patch
thanks

Here is the patch used for the Ubuntu security update:

  http://patches.ubuntu.com/patches/awstats.more-CAN-2005-0016.diff

 awstats (6.2-1.1ubuntu1) hoary; urgency=low
 .
   * SECURITY UPDATE: fix more arbitrary command execution vulnerabilities
   * wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the
     "config", "pluginmode", "loadplugin", and "noloadplugin" parameters (which
     are defined by the remote user) to prevent execution of arbitrary shell
     commands through shell metacharacters.
   * References:
     similar to CAN-2005-0116
     http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf

Martin
-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Martin Pitt <mpitt@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#294488; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>. Full text and rfc822 format available.

Message #17 received at 294488@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Martin Pitt <mpitt@debian.org>
Cc: 294488@bugs.debian.org, team@security.debian.org
Subject: Re: Ubuntu patch
Date: Fri, 11 Feb 2005 17:21:57 +0100
Thanks.

Martin Pitt wrote:
> Here is the patch used for the Ubuntu security update:
> 
>   http://patches.ubuntu.com/patches/awstats.more-CAN-2005-0016.diff

CAN-2005-0016 is the gatos problem Debian fixed in DSA 640

>  awstats (6.2-1.1ubuntu1) hoary; urgency=low
>  .
>    * SECURITY UPDATE: fix more arbitrary command execution vulnerabilities
>    * wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the
>      "config", "pluginmode", "loadplugin", and "noloadplugin" parameters (which
>      are defined by the remote user) to prevent execution of arbitrary shell
>      commands through shell metacharacters.
>    * References:
>      similar to CAN-2005-0116

CAN-2005-0116 does not apply to the stable Debian release
http://www.debian.org/security/nonvulns-woody#CAN-2005-0116

However, from the patch you provided, at least the "config" is part
of the version in woody so we'll have to issue an update I guess.

Regards,

	Joey

-- 
The good thing about standards is that there are so many to choose from.
		-- Andrew S. Tanenbaum



Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#294488; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>. Full text and rfc822 format available.

Message #22 received at 294488@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 294488@bugs.debian.org
Subject: CVE ids
Date: Sat, 12 Feb 2005 11:02:56 +0100
Use CAN-2005-0362 for fixing *plugin* variables
Use CAN-2005-0363 for fixing the config variable

Regards,

	Joey

-- 
If you come from outside of Finland, you live in wrong country.
	-- motd of irc.funet.fi

Please always Cc to me when replying to me on the lists.



Tags added: fixed Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Celso Gonzalez <celso@bulma.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #29 received at 294488-close@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: 294488-close@bugs.debian.org
Subject: Bug#294488: fixed in awstats 6.3-1
Date: Wed, 16 Feb 2005 22:17:06 -0500
Source: awstats
Source-Version: 6.3-1

We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:

awstats_6.3-1.diff.gz
  to pool/main/a/awstats/awstats_6.3-1.diff.gz
awstats_6.3-1.dsc
  to pool/main/a/awstats/awstats_6.3-1.dsc
awstats_6.3-1_all.deb
  to pool/main/a/awstats/awstats_6.3-1_all.deb
awstats_6.3.orig.tar.gz
  to pool/main/a/awstats/awstats_6.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 294488@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated awstats package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  5 Feb 2005 17:13:48 +0100
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.3-1
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 awstats    - powerful and featureful web server log analyzer
Closes: 291064 293668 293702 294488
Changes: 
 awstats (6.3-1) unstable; urgency=high
 .
   * New upstream release. Closes: bug#293702, #293668 (thanks to Nelson
     A. de Oliveira <naoliv@biolinux.df.ibilce.unesp.br>).
     + Includes upstream fix for security bug fixed in 6.2-1.1.
     + Includes upstream fix for most of security bug fixed in 6.2-1.1.
   * Acknowledge NMUs. Closes: bug#291064, #294488 (thanks to Martin
     Schulze <joey@infodrom.org>, Martin Pitt <mpitt@debian.org>, Ubuntu,
     Joey Hess <joeyh@debian.org>, Frank Lichtenheld <djpig@debian.org> and Steve
     Langasek <vorlon@debian.org>).
   * Include patch for last parts of security bug fixed in 6.2-1.1:
     01_sanitize_more.patch.
   * Patch (02) to include snapshot of recent development:
     + Fix security hole that allowed a user to read log file content
       even when plugin rawlog was not enabled.
     + Fix a possible use of AWStats for a DoS attack.
     + configdir option was broken on windows servers.
     + DebugMessages is by default set to 0 for security reasons.
     + Minor fixes.
   * References:
     CAN-2005-0435 - read server logs via loadplugin and pluginmode
     CAN-2005-0436 - code injection via PluginMode
     CAN-2005-0437 - directory traversal via loadplugin
     CAN-2005-0438 - information leak via debug
Files: 
 2dc54b77fee571afaba6074465ee79fb 577 web optional awstats_6.3-1.dsc
 edb73007530a5800d53b9f1f90c88053 938794 web optional awstats_6.3.orig.tar.gz
 daf739c6af548309a9724afaf2631a69 22093 web optional awstats_6.3-1.diff.gz
 bafc77369b5e40d31b4df2f6ab0920d4 725768 web optional awstats_6.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCFAagn7DbMsAkQLgRAhpOAJwKYtnURAoOq/P0xIttjMkPZLYQfACgocV7
R2oNSNdLPwJWHdDToQrCcJ8=
=ySLo
-----END PGP SIGNATURE-----




Tags added: sarge Request was from Jonas Smedegaard <dr@jones.dk> to control@bugs.debian.org. Full text and rfc822 format available.

Bug unarchived. Request was from Stefano Zacchiroli <zack@debian.org> to control@bugs.debian.org. (Sun, 10 Apr 2011 08:46:01 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 09 May 2011 07:50:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 23:48:21 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.