CVE-2005-1527
CVSS5.0
发布时间 :2005-08-15 00:00:00
修订时间 :2008-09-05 16:49:24
NMCOPS    

[原文]Eval injection vulnerability in awstats.pl in AWStats 6.4 and earlier, when a URLPlugin is enabled, allows remote attackers to execute arbitrary Perl code via the HTTP Referrer, which is used in a $url parameter that is inserted into an eval function call.


[CNNVD]AWStats 'awstats.pl' Eval注入漏洞(CNNVD-200508-118)

        AWStats 6.4及早期版本中的awstats.pl存在Eval注入漏洞。这使得,当启用URLPlugin时,远程gonjizhe 可以借助于HTTP Referrer执行任意的Perl代码。所执行的Perl代码应用于$url参数中,该参数插入在eval函数调用中。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:awstats:awstats:6.0
cpe:/a:awstats:awstats:5.5
cpe:/a:awstats:awstats:5.1
cpe:/a:awstats:awstats:5.9
cpe:/a:awstats:awstats:6.2
cpe:/a:awstats:awstats:5.4
cpe:/a:awstats:awstats:5.6
cpe:/a:awstats:awstats:5.3
cpe:/o:ubuntu:ubuntu_linux:5.04::i386
cpe:/a:awstats:awstats:5.0
cpe:/o:ubuntu:ubuntu_linux:5.04::amd64
cpe:/a:awstats:awstats:5.2
cpe:/a:awstats:awstats:6.1
cpe:/a:awstats:awstats:5.8
cpe:/a:awstats:awstats:5.7
cpe:/a:awstats:awstats:6.3
cpe:/o:ubuntu:ubuntu_linux:5.04::powerpc

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1527
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1527
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-118
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/21769
(PATCH)  XF  awstats-eval-execute-commands(21769)
http://www.osvdb.org/18696
(PATCH)  OSVDB  18696
http://securitytracker.com/id?1014636
(PATCH)  SECTRACK  1014636
http://secunia.com/advisories/16412
(VENDOR_ADVISORY)  SECUNIA  16412
http://www.ubuntulinux.org/support/documentation/usn/usn-167-1
(VENDOR_ADVISORY)  UBUNTU  USN-167-1
http://www.securityfocus.com/bid/14525
(UNKNOWN)  BID  14525
http://www.securiteam.com/unixfocus/5DP0J00GKE.html
(VENDOR_ADVISORY)  MISC  http://www.securiteam.com/unixfocus/5DP0J00GKE.html
http://www.novell.com/linux/security/advisories/2005_19_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:019
http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities&flashstatus=false
(UNKNOWN)  IDEFENSE  20050809 AWStats ShowInfoURL Remote Command Execution Vulnerability
http://www.debian.org/security/2005/dsa-892
(UNKNOWN)  DEBIAN  DSA-892
http://secunia.com/advisories/17463
(UNKNOWN)  SECUNIA  17463

- 漏洞信息

AWStats 'awstats.pl' Eval注入漏洞
中危 输入验证
2005-08-15 00:00:00 2005-10-20 00:00:00
远程  
        AWStats 6.4及早期版本中的awstats.pl存在Eval注入漏洞。这使得,当启用URLPlugin时,远程gonjizhe 可以借助于HTTP Referrer执行任意的Perl代码。所执行的Perl代码应用于$url参数中,该参数插入在eval函数调用中。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        AWStats AWStats 5.0
        AWStats awstats-6.4.tgz
        http://awstats.sourceforge.net/files/awstats-6.4.tgz
        AWStats AWStats 5.1
        AWStats awstats-6.4.tgz
        http://awstats.sourceforge.net/files/awstats-6.4.tgz
        AWStats AWStats 5.2
        AWStats awstats-6.4.tgz
        http://awstats.sourceforge.net/files/awstats-6.4.tgz
        AWStats AWStats 5.3
        AWStats awstats-6.4.tgz
        http://awstats.sourceforge.net/files/awstats-6.4.tgz
        AWStats AWStats 5.4
        AWStats awstats-6.4.tgz
        http://awstats.sourceforge.net/files/awstats-6.4.tgz
        AWStats AWStats 5.5
        AWStats awstats-6.4.tgz
        http://awstats.sourceforge.net/files/awstats-6.4.tgz
        AWStats AWStats 5.6
        AWStats awstats-6.4.tgz
        http://awstats.sourceforge.net/files/awstats-6.4.tgz
        AWStats AWStats 5.7
        AWStats awstats-6.4.tgz
        http://awstats.sourceforge.net/files/awstats-6.4.tgz
        AWStats AWStats 5.8
        AWStats awstats-6.4.tgz
        http://awstats.sourceforge.net/files/awstats-6.4.tgz
        AWStats AWStats 5.9
        AWStats awstats-6.4.tgz
        http://awstats.sourceforge.net/files/awstats-6.4.tgz
        AWStats AWStats 6.0
        AWStats awstats-6.4.tgz
        http://awstats.sourceforge.net/files/awstats-6.4.tgz
        AWStats AWStats 6.1
        AWStats awstats-6.4.tgz
        http://awstats.sourceforge.net/files/awstats-6.4.tgz
        AWStats AWStats 6.2
        AWStats awstats-6.4.tgz
        http://awstats.sourceforge.net/files/awstats-6.4.tgz
        AWStats AWStats 6.3
        AWStats awstats-6.4.tgz
        http://awstats.sourceforge.net/files/awstats-6.4.tgz

- 漏洞信息 (F39420)

Gentoo Linux Security Advisory 200508-7 (PacketStormID:F39420)
2005-08-17 00:00:00
Gentoo  security.gentoo.org
advisory,perl
linux,gentoo
CVE-2005-1527
[点击下载]

Gentoo Linux Security Advisory GLSA 200508-07 - When using a URLPlugin, AWStats fails to sanitize Referrer URL data before using them in a Perl eval() routine. Versions less than 6.5 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200508-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: AWStats: Arbitrary code execution using malicious Referrer
            information
      Date: August 16, 2005
      Bugs: #102145
        ID: 200508-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

AWStats fails to validate certain log input, which could lead to the
execution of arbitrary Perl code during the generation of the
statistics.

Background
==========

AWStats is an advanced log file analyzer and statistics generator. In
HTTP reports it parses Referrer information in order to display the
most common Referrer values that caused users to visit the website.

Affected packages
=================

    -------------------------------------------------------------------
     Package          /  Vulnerable  /                      Unaffected
    -------------------------------------------------------------------
  1  net-www/awstats        < 6.5                               >= 6.5

Description
===========

When using a URLPlugin, AWStats fails to sanitize Referrer URL data
before using them in a Perl eval() routine.

Impact
======

A remote attacker can include arbitrary Referrer information in a HTTP
request to a web server, therefore injecting tainted data in the log
files. When AWStats is run on this log file, this can result in the
execution of arbitrary Perl code with the rights of the user running
AWStats.

Workaround
==========

Disable all URLPlugins in the AWStats configuration.

Resolution
==========

All AWStats users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-www/awstats-6.5"

Note: Users with the vhosts USE flag set should manually use
webapp-config to finalize the update.

References
==========

  [ 1 ] CAN-2005-1527
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1527
  [ 2 ] iDEFENSE Advisory
        http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200508-07.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
    

- 漏洞信息 (F39190)

iDEFENSE Security Advisory 2005-08-09.t (PacketStormID:F39190)
2005-08-10 00:00:00
iDefense Labs,Peter Vreugdenhil  idefense.com
advisory,remote,arbitrary
CVE-2005-1527
[点击下载]

iDEFENSE Security Advisory 08.09.05 - Remote exploitation of an input validation vulnerability in AWStats allows remote attackers to execute arbitrary commands. Versions below 6.4 are affected.

AWStats ShowInfoURL Remote Command Execution Vulnerability 

iDEFENSE Security Advisory 08.09.05
www.idefense.com/application/poi/display?id=290&type=vulnerabilities
August 09, 2005

I. BACKGROUND

AWStats is a free tool that generates web, streaming, ftp or mail 
server statistics, graphically. It can analyze log files from all major 
server tools like Apache log files (NCSA combined/XLF/ELF log format or 
common/CLF log format), WebStar, IIS (W3C log format) and other web, 
proxy, wap, streaming servers, mail servers and some ftp servers. More 
information is available at the vendor's website:
     
     http://awstats.sourceforge.net

II. DESCRIPTION

Remote exploitation of an input validation vulnerability in AWStats 
allows remote attackers to execute arbitrary commands.

AWStats is a logfile analysis tool that generates reports for ftp, mail 
and web traffic. The problem specifically exists because of 
insufficient input filtering before passing user-supplied data to an 
eval() function. As part of the statistics reporting function, AWStats 
displays information about the most common referrer values that caused 
users to visit the website. The referrer data is used without proper 
sanitation in an eval() statement, resulting in the execution of 
arbitrary perl code.

Shown as follows, the $url parameter contains unfiltered user-supplied 
data that is used in a call to the Perl routine eval() on lines 4841 
and 4842 of awstats.pl (version 6.4):

     my $function="ShowInfoURL_$pluginname('$url')";
     eval("$function");

The malicious referrer value will be included in the referrer 
statistics portion of the AWStats report after AWStats has been run to 
generate a new report including the tainted data. Once a user visits 
the referrer statistics page, the injected perl code will execute with 
permissions of the web service.

III. ANALYSIS

Successful exploitation results in the execution of arbitrary commands 
with permissions of the web service. Exploitation will not occur until 
the stats page has been regenerated with the tainted referrer values 
from the http access log. Note that AWStats is only vulnerable in 
situations where at least one URLPlugin is enabled.

AWStats is a very commonly used web statistics reporting package. Since 
this attack does not require special privileges, it is recommended that 
users update AWStats to the latest available package.

IV. DETECTION

iDEFENSE Labs has confirmed the existence of this vulnerability in 
AWStats 6.3. All earlier versions are suspected vulnerable. AWStats 6.4 
has been released since the initial research on this vulnerability. 
AWStats 6.4 has replaced all eval() statements, and has mitigated the 
exposure to this vulnerability.

V. WORKAROUND

As a workaround solution, disable all URLPlugins in the AWStats
configuration.

VI. VENDOR RESPONSE

This vulnerability has been addressed with the release of AWStats 6.4.

Updated software packages are available from:
  	
   AWStats 6.4: http://awstats.sourceforge.net/#DOWNLOAD 

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-1527 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems. It should be noted that this is similar to but
different from CAN-2005-0436.

VIII. DISCLOSURE TIMELINE

05/12/2005  Initial vendor notification
08/09/2005  Public disclosure

IX. CREDIT

Peter Vreugdenhil (security[at]petervreugdenhil[dot]nl) is credited with
this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

18696
AWStats ShowInfoURL Arbitrary Perl Code Execution
Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2005-08-09 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 6.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

AWStats Referrer Arbitrary Command Execution Vulnerability
Input Validation Error 14525
Yes No
2005-08-09 12:00:00 2006-12-20 09:17:00
Peter Vreugdenhil <security@petervreugdenhil.nl> is credited with the discovery of this vulnerability.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
AWStats AWStats 6.3
AWStats AWStats 6.2
AWStats AWStats 6.1
AWStats AWStats 6.0
AWStats AWStats 5.9
AWStats AWStats 5.8
AWStats AWStats 5.7
AWStats AWStats 5.6
AWStats AWStats 5.5
AWStats AWStats 5.4
AWStats AWStats 5.3
AWStats AWStats 5.2
AWStats AWStats 5.1
AWStats AWStats 5.0
AWStats AWStats 6.5.0 build 1.857

- 不受影响的程序版本

AWStats AWStats 6.5.0 build 1.857

- 漏洞讨论

AWStats is affected by an arbitrary command-execution vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

Successful exploitation of this vulnerability will permit an attacker to execute arbitrary Perl code on the system hosting the affected application in the security context of the webserver process. This may aid in further attacks against the underlying system; other attacks are also possible.

Note that this vulnerability is possible only if the affected application has at least one URLPlugin enabled.

- 漏洞利用

No exploit is required.

A proof of concept is available:
http://www.securityfocus.com/data/vulnerabilities/exploits/awstats_poc.pl

- 解决方案

Please see the referenced vendor advisories for more information.

NOTE: The vendor has addressed this issue in AWStats version 6.4.


AWStats AWStats 5.0

AWStats AWStats 5.1

AWStats AWStats 5.2

AWStats AWStats 5.3

AWStats AWStats 5.4

AWStats AWStats 5.5

AWStats AWStats 5.6

AWStats AWStats 5.7

AWStats AWStats 5.8

AWStats AWStats 5.9

AWStats AWStats 6.0

AWStats AWStats 6.1

AWStats AWStats 6.2

AWStats AWStats 6.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站