AWStats Security Hole

**piper** · 02-06-2005, 09:27 PM

I visited a site today and there was a notice that they were hacked because of an Awstats exploit.

From the Awstats site:

Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody").
If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole.

How safe is my jagpc account? I checked my control panel and it says v6.2 which according to Awstats is vulnerable.

**Connie** · 02-06-2005, 09:52 PM

Thanks for the info. My experience with JPC is they pretty well stay on top of these issues. I doubt that you are in any danger. Not sure but I don't think a security patch would show up as a new version.

**gerilya** · 02-07-2005, 12:39 AM

Originally Posted by clssam

Thanks for the info. My experience with JPC is they pretty well stay on top of these issues. I doubt that you are in any danger.

clssam,

I respectfully disagree on this one, but I would like to know how you reached that conclusion.

**Connie** · 02-07-2005, 08:59 AM

Just an overall observation. Did not mean to imply that you should not bring it up. In fact it might be worthwhile to submit a ticket about this in case they were not aware of the problem.

**Vin DSL** · 02-08-2005, 01:27 AM

Okay, this seems to work as good as anything...

Code:

#Place this directive at the TOP of your root .htaccess file!
#Check for AWStats exploits and redirect them to a phantom site
RewriteCond %{QUERY_STRING} ^(.*)configdir(.*)          [NC]
RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L]

I ran some remote exploits against my site and it caught them. That should do until they update/patch AWStats, I think...

BTW, the fix is incredibly simple for both remote and local exploits...

K-OTik Security Advisory : KOTIK/ADV-2005-0032
CVE Reference : GENERIC-MAP-NOMATCH
Rated as : High
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-01-18

* Technical Description *

A vulnerability has been identified in AWStats, it could be exploited by attackers to execute arbitrary code and compromise a vulnerable system. The problem results from an input validation error in the "awstats.pl" file when handling the "configdir" parameter, which can be exploited by attackers to execute arbitrary command using "|" characters.

* Affected Products *

AWStats version 6.2 and prior

* Solution *

Use AWStats version 6.3 :
http://awstats.sourceforge.net/#DOWNLOAD

Or replace the lines :
if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&DecodeEncodedString("$1"); }

With :
if ($QueryString =~ /configdir=([^&]+)/i) { $DirConfig=&DecodeEncodedString("$1");
$DirConfig=~tr/a-z0-9_\-\/\./a-z0-9_\-\/\./cd; };

* References *

http://www.k-otik.com/english/advisories/2005/0032
http://www.idefense.com/application/...ulnerabilities

* Credits *

Vulnerability reported by iDEFENSE

* ChangeLog *

2005-01-18 : Original Advisory

SOURCE: http://www.k-otik.com/english/advisories/2005/0032

**cornnuts** · 02-09-2005, 12:49 PM

Has jagpc patched this yet? Also can I replace:

Code:

RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L]

with

Code:

RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]

**JPC-Les** · 02-09-2005, 02:23 PM

We are aware of this. First you have to pass cpanel authentication to be able to pass the variables in question. Cpanel has this patched in their edge release and the patch should be pushed to stable shortly.

**kornmonkie** · 02-09-2005, 02:29 PM

Already noticed an attempt in my logs....:/..that was fast...

Host: *.*.167.10

/cgi-bin/awstats.pl
Http Code: 404 Date: Feb 09 13:57:20 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: -

**Spathiphyllum** · 02-09-2005, 04:13 PM

Originally Posted by cornnuts

Also can I replace:

Code:

RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L]

with

Code:

RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]

Well, you could... but why? No need to redirect the request back to the local server since it would just chew up more local resources as the server still needs to respond to the request. Send them away from your server, hopefully to something really obnoxious and make the error code a 410 (see http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html).

Actually, I'm not even sure if such an exploit even pays attention to those return codes since it is not designed to follow any rules - it may keep returning anyway. However, assuming the worm/virus/exploit does follow rules, get it the heck away from your server and tell it to quit looking. Or just use |begin-code->RewriteRule ^ - [G,L]<-end code-| to keep it as short and sweet as possible.

This rule would, if matched, return to the requesting client a brief server text response and associated code that the resource is gone and won't be back. The request is processed one time and then the server calls it quits. Seems like this would be the best way to minimze it impact on the server.

Anyone have other ideas short of hacking the awstats script to run only for a finite set of IPs?

LinkBack

Thread Tools

Display

AWStats Security Hole

Bookmarks

Bookmarks

Posting Permissions