> Source: http://www.osreviews.net/reviews/comm/awstats > > | If the update of the stats via web front-end is allowed, a remote > | attacker can execute arbitrary code on the server using a specially > | crafted request involving the migrate parameter. Input starting with > | a pipe character ("|") leads to an insecure call to Perl's open > | function and the rest of the input being executed in a shell. The > | code is run in the context of the process running the AWStats CGI. > > Note that AllowToUpdateStatsFromBrowser, which is required for > successful exploitation is disabled by default.
This one is indeed a bug, which is fixed in version 6.6.
Eldy, since we need to patch fixes for this bug into previously released
versions of the Debian awstats package, can you please confirm the exact
change required to fix this?
A cursory overview of version 6.5 and 6.6 suggests that we need to
change:
$MigrateStats=&DecodeEncodedString("$2");
to:
$MigrateStats=&Sanitize(&DecodeEncodedString("$2"));
Is that correct?
thanks,
Charles
--
The more
You shave
The brushless way
The more you'll be
Inclined to say--
Burma-Shave
http://burma-shave.org/jingles/1948/the_more
signature.asc
Description: Digital signature
