Hi Laurent, hi iDEFENSE!
iDEFENSE Labs [2005-08-09 12:24 -0400]:
> Shown as follows, the $url parameter contains unfiltered user-supplied
> data that is used in a call to the Perl routine eval() on lines 4841
> and 4842 of awstats.pl (version 6.4):
>
> my $function="ShowInfoURL_$pluginname('$url')";
> eval("$function");
Thanks for spotting this. Also, please note that you correctly state
that this vulnerable code is from 6.4
> iDEFENSE Labs has confirmed the existence of this vulnerability in
> AWStats 6.3. All earlier versions are suspected vulnerable. AWStats 6.4
> has been released since the initial research on this vulnerability.
> AWStats 6.4 has replaced all eval() statements, and has mitigated the
> exposure to this vulnerability.
6.4 still contains loads of eval() statements, and still seems
vulnerable against this flaw, since the quoted code hasn't changed at
all.
> This vulnerability has been addressed with the release of AWStats 6.4.
As far as I can see, it is not yet fixed even in upstream CVS in
awstats.pl.
http://cvs.sourceforge.net/viewcvs.py/awstats/awstats/wwwroot/cgi-bin/awstats.pl
So am I totally confused and somehow this was fixed in a different
place (although I can't see how)? Or is this not yet fixed at all?
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Aug 11 2005
Intro
