[UNIX] AWStats ShowInfoURL Remote Command Execution

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  AWStats ShowInfoURL Remote Command Execution
------------------------------------------------------------------------


SUMMARY

" <http://awstats.sourceforge.net/> AWStats is a free powerful and 
featureful tool that generates advanced web, streaming, ftp or mail server 
statistics, graphically. "

Remote exploitation of an input validation vulnerability in AWStats allows 
remote attackers to execute arbitrary commands.

DETAILS

Vulnerable Systems:
 * AWStats version 6.3 and prior

Immune Systems:
 * AWStats version 6.4

AWStats is a logfile analysis tool that generates reports for ftp, mail 
and web traffic. The problem specifically exists because of insufficient 
input filtering before passing user-supplied data to an eval() function. 
As part of the statistics reporting function, AWStats displays information 
about the most common referrer values that caused users to visit the 
website. The referrer data is used without proper sanitation in an eval() 
statement, resulting in the execution of arbitrary perl code.

Shown as follows, the $url parameter contains unfiltered user-supplied 
data that is used in a call to the Perl routine eval() on lines 4841 and 
4842 of awstats.pl (version 6.4):

my $function="ShowInfoURL_$pluginname('$url')";
eval("$function");

The malicious referrer value will be included in the referrer statistics 
portion of the AWStats report after AWStats has been run to generate a new 
report including the tainted data. Once a user visits the referrer 
statistics page, the injected perl code will execute with permissions of 
the web service.

Successful exploitation results in the execution of arbitrary commands 
with permissions of the web service. Exploitation will not occur until the 
stats page has been regenerated with the tainted referrer values from the 
http access log. Note that AWStats is only vulnerable in situations where 
at least one URLPlugin is enabled.

Workaround:
Disable all URLPlugins in the AWStats configuration.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1527> 
CAN-2005-1527

Disclosure Timeline:
05/12/2005 - Initial vendor notification
08/09/2005 - Public disclosure


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDEFENSE.
The original article can be found at:  
<http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities> 
http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.