Debian Bug report logs - #365909
AWStats: Shell code injection via 'migrate'

version graph

Package: awstats; Maintainer for awstats is Sergey B Kirpichev <skirpichev@gmail.com>; Source for awstats is src:awstats.

Reported by: Hendrik Weimer <hendrik@enyo.de>

Date: Wed, 3 May 2006 17:33:32 UTC

Severity: important

Tags: security

Found in versions awstats/6.5-1, awstats/6.4-1sarge1

Fixed in version awstats/6.5-2

Done: Jonas Smedegaard <dr@jones.dk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365909; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Hendrik Weimer <hendrik@enyo.de>:
New Bug report received and forwarded. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Hendrik Weimer <hendrik@enyo.de>
To: submit@bugs.debian.org
Subject: AWStats: Shell code injection via 'migrate'
Date: Wed, 03 May 2006 19:11:08 +0200
Package: awstats
Version: 6.5-1
Severity: important
Tags: security

Source: http://www.osreviews.net/reviews/comm/awstats

| If the update of the stats via web front-end is allowed, a remote
| attacker can execute arbitrary code on the server using a specially
| crafted request involving the migrate parameter. Input starting with
| a pipe character ("|") leads to an insecure call to Perl's open
| function and the rest of the input being executed in a shell. The
| code is run in the context of the process running the AWStats CGI.

Note that AllowToUpdateStatsFromBrowser, which is required for
successful exploitation is disabled by default.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365909; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Charles Fry <debian@frogcircus.org>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 365909@bugs.debian.org (full text, mbox):

From: Charles Fry <debian@frogcircus.org>
To: Hendrik Weimer <hendrik@enyo.de>, 365909@bugs.debian.org
Cc: eldy@users.sourceforge.net
Subject: Re: [Pkg-awstats-devel] Bug#365909: AWStats: Shell code injection via 'migrate'
Date: Fri, 5 May 2006 13:11:44 -0400
[Message part 1 (text/plain, inline)]
> Source: http://www.osreviews.net/reviews/comm/awstats
> 
> | If the update of the stats via web front-end is allowed, a remote
> | attacker can execute arbitrary code on the server using a specially
> | crafted request involving the migrate parameter. Input starting with
> | a pipe character ("|") leads to an insecure call to Perl's open
> | function and the rest of the input being executed in a shell. The
> | code is run in the context of the process running the AWStats CGI.
> 
> Note that AllowToUpdateStatsFromBrowser, which is required for
> successful exploitation is disabled by default.

This one is indeed a bug, which is fixed in version 6.6.

Eldy, since we need to patch fixes for this bug into previously released
versions of the Debian awstats package, can you please confirm the exact
change required to fix this?

A cursory overview of version 6.5 and 6.6 suggests that we need to
change:

   $MigrateStats=&DecodeEncodedString("$2");

 to:

   $MigrateStats=&Sanitize(&DecodeEncodedString("$2"));

Is that correct?

thanks,
Charles

-- 
The more
You shave
The brushless way
The more you'll be
Inclined to say--
Burma-Shave
http://burma-shave.org/jingles/1948/the_more
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365909; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Hendrik Weimer <hendrik@enyo.de>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 365909@bugs.debian.org (full text, mbox):

From: Hendrik Weimer <hendrik@enyo.de>
To: Charles Fry <debian@frogcircus.org>
Cc: 364443@bugs.debian.org, 365909@bugs.debian.org
Subject: Re: Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter
Date: Fri, 05 May 2006 23:25:11 +0200
Charles Fry <debian@frogcircus.org> writes:

> Any final comments on anything I'm missing before moving forward with
> this patch?

Seems fine to me.

Hendrik



Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365909; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Charles Fry <debian@frogcircus.org>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 365909@bugs.debian.org (full text, mbox):

From: Charles Fry <debian@frogcircus.org>
To: Hendrik Weimer <hendrik@enyo.de>
Cc: 364443@bugs.debian.org, 365909@bugs.debian.org
Subject: Re: Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter
Date: Fri, 5 May 2006 16:59:32 -0400
[Message part 1 (text/plain, inline)]
> Exploit #1: http://www.example.com/cgi-bin/awstats.pl?diricons=%22%3E0wned!%3Cspan%20%22

I see. Thank you for taking the time to put these examples together for
us. :-)

I've prepared an updated patch that should take care of both bug #364443
and #365909.

Any final comments on anything I'm missing before moving forward with
this patch?

thanks,
Charles

-- 
As you journey
Down the years
Your mirror is
The glass that cheers
If you use
Burma-Shave
http://burma-shave.org/jingles/1936/as_you_journey
[1001_sanitize_more.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365909; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 365909@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 365909@bugs.debian.org
Subject: AWStats: Shell code injection via 'migrate'
Date: Tue, 9 May 2006 21:19:29 +0200
This is CVE-2006-2237. Please mention it in the changelog



Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365909; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Jonas Smedegaard <dr@jones.dk>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #30 received at 365909@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: Stefan Fritsch <sf@sfritsch.de>, 365909@bugs.debian.org
Subject: Re: [Pkg-awstats-devel] Bug#365909: AWStats: Shell code injection via 'migrate'
Date: Tue, 9 May 2006 23:35:22 +0200
[Message part 1 (text/plain, inline)]
On Tue, 9 May 2006 21:19:29 +0200 Stefan Fritsch wrote:

> This is CVE-2006-2237. Please mention it in the changelog

Will do. Appreciate the reminder :-)


 - Jonas

-- 
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

 - Enden er nær: http://www.shibumi.org/eoti.htm
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Hendrik Weimer <hendrik@enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #35 received at 365909-close@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: 365909-close@bugs.debian.org
Subject: Bug#365909: fixed in awstats 6.5-2
Date: Tue, 09 May 2006 14:47:15 -0700
Source: awstats
Source-Version: 6.5-2

We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:

awstats_6.5-2.diff.gz
  to pool/main/a/awstats/awstats_6.5-2.diff.gz
awstats_6.5-2.dsc
  to pool/main/a/awstats/awstats_6.5-2.dsc
awstats_6.5-2_all.deb
  to pool/main/a/awstats/awstats_6.5-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 365909@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated awstats package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  9 May 2006 23:10:43 +0200
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.5-2
Distribution: unstable
Urgency: high
Maintainer: Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 awstats    - powerful and featureful web server log analyzer
Closes: 364443 365909 365910
Changes: 
 awstats (6.5-2) unstable; urgency=high
 .
   [ Charles Fry ]
   * Require AWSTATS_ENABLE_CONFIG_DIR environmental variable in order to
     enable configdir. Closes: #365910 (thanks to Hendrik Weimer
     <hendrik@enyo.de>)
   * Integrated security patches from upstream:
     + Decode QueryString. Closes: #364443 (thanks to Micah Anderson
       <micah@debian.org>)
     + Sanitize migrate parameter. Closes: #365909 (thanks to Hendrik Weimer
       <hendrik@enyo.de>)
   * Indent Homepage in long description, per debian reference guideline
 .
   [ Jonas Smedegaard ]
   * Update local cdbs snippet copyright-check.mk:
     + Broaden scan to also look for "(c)" by default.
     + Make egrep options configurable.
   * Semi-auto-update debian/control:
     + Bump up versioned build-dependency on debhelper.
   * Semi-auto-update debian/copyright_hints (nothing remarkable).
   * Set urgency=high as this upload fixes security-related bugs
     (bug#365909: CVE-2006-2237).
   * Fix including a couple of example shell scripts ignored by mistake.
Files: 
 bf575ea8463263271c52860d1d7904f1 759 web optional awstats_6.5-2.dsc
 1829b872bf69228e57040378475e07a1 18596 web optional awstats_6.5-2.diff.gz
 85e53aff0e62a8809e18232617e5aa7f 854100 web optional awstats_6.5-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEYQq/n7DbMsAkQLgRAiKtAJwK4hhf+YU8JANbIsdQ6kvmyujL9QCfRl3U
BCIAGnkI7rd5QDS9ZUBwze4=
=nSGA
-----END PGP SIGNATURE-----




Bug marked as found in version 6.4-1sarge1. Request was from Charles Fry <debian@frogcircus.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365909; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #42 received at 365909@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Charles Fry <debian@frogcircus.org>
Cc: Hendrik Weimer <hendrik@enyo.de>, 364443@bugs.debian.org, 365909@bugs.debian.org
Subject: Re: Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter
Date: Fri, 12 May 2006 10:22:18 +0200
How can the diricons and config parameters be exploited?  From a quick
glance I can't find an open associated with $DirIcons.

I assume $SiteConfig leads to an open() call.

Charles Fry wrote:
> Index: awstats-6.5/wwwroot/cgi-bin/awstats.pl
> ===================================================================
> --- awstats-6.5.orig/wwwroot/cgi-bin/awstats.pl	2005-11-24 15:11:19.000000000 -0500
> +++ awstats-6.5/wwwroot/cgi-bin/awstats.pl	2006-05-05 16:43:12.000000000 -0400
> @@ -5542,8 +5542,8 @@
>  	# No update but report by default when run from a browser
>  	$UpdateStats=($QueryString=~/update=1/i?1:0);
>  
> -	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&DecodeEncodedString("$1"); }
> -	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons=&DecodeEncodedString("$1"); }
> +	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize(&DecodeEncodedString("$1")); }
> +	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons=&Sanitize(&DecodeEncodedString("$1")); }
>  	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize(&DecodeEncodedString("$1"),1); }
>  	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize(&DecodeEncodedString("$1")); }
>  	# All filters
> @@ -5561,7 +5561,7 @@
>  
>  	# If migrate
>  	if ($QueryString =~ /(^|-|&|&amp;)migrate=([^&]+)/i)	{
> -		$MigrateStats=&DecodeEncodedString("$2"); 
> +		$MigrateStats=&Sanitize(&DecodeEncodedString("$2"));
>  		$MigrateStats =~ /^(.*)$PROG(\d{0,2})(\d\d)(\d\d\d\d)(.*)\.txt$/;
>  		$SiteConfig=$5?$5:'xxx'; $SiteConfig =~ s/^\.//;		# SiteConfig is used to find config file
>  	}
> @@ -5591,8 +5591,8 @@
>  	# Update with no report by default when run from command line
>  	$UpdateStats=1;
>  
> -	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig="$1"; }
> -	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons="$1"; }
> +	if ($QueryString =~ /config=([^&]+)/i)				{ $SiteConfig=&Sanitize("$1"); }
> +	if ($QueryString =~ /diricons=([^&]+)/i)			{ $DirIcons=&Sanitize("$1"); }
>  	if ($QueryString =~ /pluginmode=([^&]+)/i)			{ $PluginMode=&Sanitize("$1",1); }
>  	if ($QueryString =~ /configdir=([^&]+)/i)			{ $DirConfig=&Sanitize("$1"); }
>  	# All filters



Regards,

	Joey


-- 
It's time to close the windows.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365909; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Hendrik Weimer <hendrik@enyo.de>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #47 received at 365909@bugs.debian.org (full text, mbox):

From: Hendrik Weimer <hendrik@enyo.de>
To: Martin Schulze <joey@infodrom.org>
Cc: 364443@bugs.debian.org, 365909@bugs.debian.org
Subject: Re: Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter
Date: Fri, 12 May 2006 13:58:13 +0200
Martin Schulze <joey@infodrom.org> writes:

> How can the diricons and config parameters be exploited?  From a quick
> glance I can't find an open associated with $DirIcons.

The diricons issue is a XSS vulnerability. It has nothing to do with
the two other holes (which lead to arbitrary code execution) other
than they all are a case of missing input sanitizing.

Hendrik



Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365909; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #52 received at 365909@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Hendrik Weimer <hendrik@enyo.de>
Cc: 364443@bugs.debian.org, 365909@bugs.debian.org
Subject: Re: Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter
Date: Fri, 12 May 2006 14:20:58 +0200
Hendrik Weimer wrote:
> Martin Schulze <joey@infodrom.org> writes:
> 
> > How can the diricons and config parameters be exploited?  From a quick
> > glance I can't find an open associated with $DirIcons.
> 
> The diricons issue is a XSS vulnerability. It has nothing to do with
> the two other holes (which lead to arbitrary code execution) other
> than they all are a case of missing input sanitizing.

Umh... but since the query_string is already sanitised globally
how can XSS still happen?  Was the sanitising not sucessful?

Regards,

	Joey

-- 
It's time to close the windows.

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365909; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Hendrik Weimer <hendrik@enyo.de>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #57 received at 365909@bugs.debian.org (full text, mbox):

From: Hendrik Weimer <hendrik@enyo.de>
To: Martin Schulze <joey@infodrom.org>
Cc: 364443@bugs.debian.org, 365909@bugs.debian.org
Subject: Re: Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter
Date: Fri, 12 May 2006 14:56:55 +0200
Martin Schulze <joey@infodrom.org> writes:

> Umh... but since the query_string is already sanitised globally
> how can XSS still happen?  Was the sanitising not sucessful?

AFAICS the query_string is not being decoded first. Therefore, a '>'
encoded as %3E will slip through. Version 6.5-2 contains the proper
fix.

Hendrik



Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365909; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #62 received at 365909@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Hendrik Weimer <hendrik@enyo.de>
Cc: 364443@bugs.debian.org, 365909@bugs.debian.org
Subject: Re: Bug#364443: [Pkg-awstats-devel] Bug#364443: Vulnerability exists also with the 'diricons' parameter
Date: Fri, 12 May 2006 18:34:46 +0200
Hendrik Weimer wrote:
> Martin Schulze <joey@infodrom.org> writes:
> 
> > Umh... but since the query_string is already sanitised globally
> > how can XSS still happen?  Was the sanitising not sucessful?
> 
> AFAICS the query_string is not being decoded first. Therefore, a '>'
> encoded as %3E will slip through. Version 6.5-2 contains the proper
> fix.

It does.  I understand now.

Regards,

	Joey

-- 
It's time to close the windows.

Please always Cc to me when replying to me on the lists.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 13:27:46 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:10:19 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.