Awstats official workaround flaw

Talk to RedTeam!
+49 241 510081-0

News

19/07/2023
New advisory released: Session Token Enumeration in RWS WorldServer.
12/07/2023
A new version of monsoon has been released. Our new blog post covers the new features and improvements in detail.
05/06/2023
In our new blog post we discuss common misconceptions about login mechanisms using the example of a vulnerability in the web interface of STARFACE PBX.
01/06/2023
New advisory released: STARFACE: Authentication with Password Hash Possible.
30/05/2023
Several advisories for vulnerabilities in the open-source software Pydio Cells released: Unauthorised Role Assignments, Cross-Site Scripting via File Download, Server-Side Request Forgery.
09/05/2023
Today we released our newly developed program resocks. The accompanying blog post covers its usage and technical details.
12/04/2023
Our new blog post describes the approach to integrate our new printer in our office infrastructure aiming to meet our specified security requirements.
10/02/2023
Jens Liebchen held the talk “Physical Security – Wenn Türen zu Firewalls werden” on 7 February 2023 at the Chair for IT Security Infrastructures of the Friedrich-Alexander-Universität Erlangen-Nürnberg. The German language slides are available for download under Publications.
26/01/2023
New advisory released: Skyhigh Security Secure Web Gateway: Cross-Site Scripting in Single Sign-On Plugin.
18/01/2023
Alexander Neumann held the talk „Mitbringsel aus dem Alltag: Star Wars in der niedersächsischen Provinz” at the event “Studierende treffen Alumni und Unternehmensexperten” at the FH Aachen University of Applied Sciences. The German language slides are available for download under Publications.

> Advisories > rt-sa-2005-006 vertical divider

[rt-sa-2005-007]

Back to Overview

[rt-sa-2005-005]

Awstats official workaround flaw

RedTeam found a flaw in the official workaround for the remote command execution vulnerability in awstats discovered by iDefense. 


Details
=======

Product: Awstats
Affected Version: <= 6.2
Immune Version: 6.3
OS affected: all
Security-Risk: high
Remote-Exploit: yes
Vendor-URL: http://awstats.sourceforge.net
Vendor-Status: informed
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2005-006
Advisory-Status: public
CVE: GENERIC-MAP-NOMATCH
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH#)

Introduction
============

iDefense found a remote command execution vulnerability in awstats <= 6.2, see CAN-2005-0116.

The official awstats website tells users that they are safe from remote command execution if they set the variable $!AllowToUpdateStatsFromBrowser to 0. This is not true, as the exploit can still be triggered. 

More Details
============

In awstats.pl the variable $configdir, which is used to exploit, can still be set remotely. Setting $!AllowToUpdateStatsFromBrowser to 0 only removes the link to the button which can be used to trigger updates. The variable can still be assigned per GET request.

Proof of Concept
================

http://path/to/awstats/awstats.pl?configdir=|cd%20/tmp;%20touch%20evilfile;

Workaround
==========

Use the workaround provided by iDefense. See their advisory for the original vulnerability.

Fix
===

Fixed in version 6.3.

Security Risk
=============

High, as arbitrary commands can be executed on the vulnerable system. 

History
=======

2005-02-12 eldy@users.sourceforge.net informed 
2005-02-12 CVE number requested 
2005-02-14 issue does not qualify for a CVE number. posted.
2009-05-08 Updated Advisory URL

RedTeam
=======

RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more information on the RedTeam Project at
http://www.redteam-pentesting.de