Debian Bug report logs - #365910
AWStats: Malicious config file shell code injection

version graph

Package: awstats; Maintainer for awstats is Sergey B Kirpichev <skirpichev@gmail.com>; Source for awstats is src:awstats.

Reported by: Hendrik Weimer <hendrik@enyo.de>

Date: Wed, 3 May 2006 17:33:37 UTC

Severity: important

Tags: security

Found in versions awstats/6.5-1, awstats/6.4-1sarge1

Fixed in version awstats/6.5-2

Done: Jonas Smedegaard <dr@jones.dk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365910; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Hendrik Weimer <hendrik@enyo.de>:
New Bug report received and forwarded. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Hendrik Weimer <hendrik@enyo.de>
To: submit@bugs.debian.org
Subject: AWStats: Malicious config file shell code injection
Date: Wed, 03 May 2006 19:11:18 +0200
Package: awstats
Version: 6.5-1
Severity: important
Tags: security

Source: http://www.osreviews.net/reviews/comm/awstats

| Arbitrary code can be executed by uploading a specially crafted
| configuration file if an attacker can put a file on the server with
| chosen file name and content (e.g. by using an FTP account on a
| shared hosting server). In this configuration file, the LogFile
| directive can be used to execute shell code following a pipe
| character. As above, an open call on unsanitized input is the source
| of this vulnerability.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365910; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Charles Fry <debian@frogcircus.org>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 365910@bugs.debian.org (full text, mbox):

From: Charles Fry <debian@frogcircus.org>
To: Hendrik Weimer <hendrik@enyo.de>, 365910@bugs.debian.org
Subject: Re: [Pkg-awstats-devel] Bug#365910: AWStats: Malicious config file shell code injection
Date: Fri, 5 May 2006 13:04:44 -0400
[Message part 1 (text/plain, inline)]
> Source: http://www.osreviews.net/reviews/comm/awstats
> 
> | Arbitrary code can be executed by uploading a specially crafted
> | configuration file if an attacker can put a file on the server with
> | chosen file name and content (e.g. by using an FTP account on a
> | shared hosting server). In this configuration file, the LogFile
> | directive can be used to execute shell code following a pipe
> | character. As above, an open call on unsanitized input is the source
> | of this vulnerability.

Thank you, Hendrik, for passing along this information.

In this case, this report doesn't appear to be an actual security
vulnerability. The configuration file needs to be placed in
/etc/awstats, /usr/local/etc/awstats, /etc, or /etc/opt/awstats. This
can not be done without having root access (nor can the current
configuration files be modified without root access). Someone with root
permissions can already execute shell code with broader permissions than
the webserver, so this "attack" seems like a non-issue to me.

cheers,
Charles

-- 
Hit 'em high
Hit 'em low
It's action rooters crave
Millions boast -- millions toast
The All-American shave
Burma-Shave
http://burma-shave.org/jingles/1933/hit_em_high2
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365910; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Hendrik Weimer <hendrik@enyo.de>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 365910@bugs.debian.org (full text, mbox):

From: Hendrik Weimer <hendrik@enyo.de>
To: Charles Fry <debian@frogcircus.org>
Cc: 365910@bugs.debian.org
Subject: Re: Bug#365910: [Pkg-awstats-devel] Bug#365910: AWStats: Malicious config file shell code injection
Date: Fri, 05 May 2006 19:44:10 +0200
[Message part 1 (text/plain, inline)]
Charles Fry <debian@frogcircus.org> writes:

> In this case, this report doesn't appear to be an actual security
> vulnerability. The configuration file needs to be placed in
> /etc/awstats, /usr/local/etc/awstats, /etc, or /etc/opt/awstats. This
> can not be done without having root access (nor can the current
> configuration files be modified without root access). Someone with root
> permissions can already execute shell code with broader permissions than
> the webserver, so this "attack" seems like a non-issue to me.

Exploit #2: http://www.example.com/cgi-bin/awstats.pl?configdir=/tmp
with the attached file being placed in /tmp.

Hendrik

[awstats.conf (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365910; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Charles Fry <debian@frogcircus.org>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 365910@bugs.debian.org (full text, mbox):

From: Charles Fry <debian@frogcircus.org>
To: Hendrik Weimer <hendrik@enyo.de>
Cc: 365910@bugs.debian.org, eldy@users.sourceforge.net
Subject: Re: Bug#365910: [Pkg-awstats-devel] Bug#365910: AWStats: Malicious config file shell code injection
Date: Fri, 5 May 2006 16:56:40 -0400
[Message part 1 (text/plain, inline)]
> Exploit #2: http://www.example.com/cgi-bin/awstats.pl?configdir=/tmp
> with the attached file being placed in /tmp.

I see. So I assume that $LogFile must be run through Sanitize prior to
being opened, or at least checked for pipes?

I notcied the following related chunk of code:

    # Deny LogFile if contains a pipe and PurgeLogFile || ArchiveLogRecords set on
    if (($PurgeLogFile || $ArchiveLogRecords) && $LogFile =~ /\|\s*$/) {
        error("A pipe in log file name is not allowed if PurgeLogFile and ArchiveLogRecords are not set to 0");
    }

This suggests some previous thought about pipes. I'm trying to figure
out why they would ever be useful in a LogFile (since they are obviously
trying to account for them).

Is it correct to always deny pipes in LogFile?

Charles

-- 
A Christmas hug
A birthday kiss
Awaits
The woman
Who gives this
Burma-Shave
http://burma-shave.org/jingles/1940/a_christmas_hug
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>:
Bug#365910; Package awstats. Full text and rfc822 format available.

Acknowledgement sent to Charles Fry <debian@frogcircus.org>:
Extra info received and forwarded to list. Copy sent to Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 365910@bugs.debian.org (full text, mbox):

From: Charles Fry <debian@frogcircus.org>
To: Hendrik Weimer <hendrik@enyo.de>
Cc: 365910@bugs.debian.org, eldy@users.sourceforge.net
Subject: Re: Bug#365910: [Pkg-awstats-devel] Bug#365910: AWStats: Malicious config file shell code injection
Date: Fri, 5 May 2006 19:02:30 -0400
[Message part 1 (text/plain, inline)]
> While this plugs the current hole, I have a feeling that allowing
> users to use their own config file is a bad idea because it keeps open
> a class of possible attack vector. I would suggest to accept config
> files provided by the configdir parameter only if the config is owned
> by the same user that is running the CGI script.

I don't like that, because normally the config file should not be
writable by the web server.

Another solution would be to simply disable the configdir parameter.

Charles

-- 
Late risers!
Shave in just
2 minutes flat
Kiss your wife
Grab your hat
Burma-Shave
http://burma-shave.org/jingles/1933/late_risers
[signature.asc (application/pgp-signature, inline)]

Reply sent to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Hendrik Weimer <hendrik@enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 365910-close@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: 365910-close@bugs.debian.org
Subject: Bug#365910: fixed in awstats 6.5-2
Date: Tue, 09 May 2006 14:47:15 -0700
Source: awstats
Source-Version: 6.5-2

We believe that the bug you reported is fixed in the latest version of
awstats, which is due to be installed in the Debian FTP archive:

awstats_6.5-2.diff.gz
  to pool/main/a/awstats/awstats_6.5-2.diff.gz
awstats_6.5-2.dsc
  to pool/main/a/awstats/awstats_6.5-2.dsc
awstats_6.5-2_all.deb
  to pool/main/a/awstats/awstats_6.5-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 365910@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated awstats package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  9 May 2006 23:10:43 +0200
Source: awstats
Binary: awstats
Architecture: source all
Version: 6.5-2
Distribution: unstable
Urgency: high
Maintainer: Debian AWStats Team <pkg-awstats-devel@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 awstats    - powerful and featureful web server log analyzer
Closes: 364443 365909 365910
Changes: 
 awstats (6.5-2) unstable; urgency=high
 .
   [ Charles Fry ]
   * Require AWSTATS_ENABLE_CONFIG_DIR environmental variable in order to
     enable configdir. Closes: #365910 (thanks to Hendrik Weimer
     <hendrik@enyo.de>)
   * Integrated security patches from upstream:
     + Decode QueryString. Closes: #364443 (thanks to Micah Anderson
       <micah@debian.org>)
     + Sanitize migrate parameter. Closes: #365909 (thanks to Hendrik Weimer
       <hendrik@enyo.de>)
   * Indent Homepage in long description, per debian reference guideline
 .
   [ Jonas Smedegaard ]
   * Update local cdbs snippet copyright-check.mk:
     + Broaden scan to also look for "(c)" by default.
     + Make egrep options configurable.
   * Semi-auto-update debian/control:
     + Bump up versioned build-dependency on debhelper.
   * Semi-auto-update debian/copyright_hints (nothing remarkable).
   * Set urgency=high as this upload fixes security-related bugs
     (bug#365909: CVE-2006-2237).
   * Fix including a couple of example shell scripts ignored by mistake.
Files: 
 bf575ea8463263271c52860d1d7904f1 759 web optional awstats_6.5-2.dsc
 1829b872bf69228e57040378475e07a1 18596 web optional awstats_6.5-2.diff.gz
 85e53aff0e62a8809e18232617e5aa7f 854100 web optional awstats_6.5-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEYQq/n7DbMsAkQLgRAiKtAJwK4hhf+YU8JANbIsdQ6kvmyujL9QCfRl3U
BCIAGnkI7rd5QDS9ZUBwze4=
=nSGA
-----END PGP SIGNATURE-----




Bug marked as found in version 6.4-1sarge1. Request was from Charles Fry <debian@frogcircus.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 14:04:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 21:37:20 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.