Awstats official workaround flaw

RedTeam found a flaw in the official workaround for the remote command execution vulnerability in awstats discovered by iDefense.

Details

• Product: Awstats
• Affected Version: <= 6.2
• Immune Version: 6.3
• OS affected: all
• Security-Risk: high
• Remote-Exploit: yes
• Vendor-URL: http://awstats.sourceforge.net
• Vendor-Status: informed
• Advisory-URL: https://www.redteam-pentesting.de/advisories/rt-sa-2005-006
• Advisory-Status: public
• CVE: GENERIC-MAP-NOMATCH
• (https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH#)

Introduction

iDefense found a remote command execution vulnerability in awstats <= 6.2, see CAN-2005-0116.

The official awstats website tells users that they are safe from remote command execution if they set the variable $!AllowToUpdateStatsFromBrowser to 0. This is not true, as the exploit can still be triggered.

More Details

In awstats.pl the variable $configdir, which is used to exploit, can still be set remotely. Setting $!AllowToUpdateStatsFromBrowser to 0 only removes the link to the button which can be used to trigger updates. The variable can still be assigned per GET request.

Proof of Concept

http://path/to/awstats/awstats.pl?configdir=%7Ccd%20/tmp;%20touch%20evilfile;

Workaround

Use the workaround provided by iDefense. See their advisory for the original vulnerability.

Fix

Fixed in version 6.3.

Security Risk

High, as arbitrary commands can be executed on the vulnerable system.

History

• 2005-02-12 eldy@users.sourceforge.net informed
• 2005-02-12 CVE number requested
• 2005-02-14 issue does not qualify for a CVE number. posted.
• 2009-05-08 Updated Advisory URL

RedTeam

RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more information on the RedTeam Project at https://www.redteam-pentesting.de