[Snort-sigs] Awstats Remote Code Execution

Nigel Houghton nigel at ...435...
Tue Jan 25 11:00:13 EST 2005


On  0, Frank Knobbe <frank at ...1978...> allegedly wrote:
> On Tue, 2005-01-25 at 12:49 +0000, Chas Tomlin wrote:
> > http://www.k-otik.com/exploits/20050124.awexpl.c.php
> > 
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Awstats Remote Code
> > Execution Attempt"; flow: from_client; pcre:"/awstats.pl\?configdir=/i";
> > classtype:web-application-attack;sid:3000621; rev:1;)
> > 
> > I guess it could use uricontent instead of a pcre.
> 
> That's easily done. The a previous post by Nigel.
> 
> I have committed a modified version to the Bleeding rules:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"BLEEDING-EDGE
> EXPLOIT Awstats Remote Code Execution Attempt"; flow:established,
> from_client; pcre:"/awstats.pl\?configdir=/iU";
> classtype:web-application-attack;sid:2001686; rev:1;)
> 
> Note the /iU at the end of the pcre. /U will match on URL decoded
> strings.
> 
> Regards,
> Frank

Slightly off-topic here, but if any of you folks use awstats, this
vulnerability does not affect the static output functionality of awstats, 
nor can you access the web interface with the appropriate restrictions 
set in your awstats.conf.

Original advisory[0] and published exploit[1]

The fix is also trivial.

[0] http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities
[1] http://www.k-otik.com/exploits/20050124.awexpl.c.php

+-----------------------------------------------------------------+
    Nigel Houghton      Research Engineer       Sourcefire Inc.
                  Vulnerability Research Team

 Stewie: You know, I rather like this God fellow. Very theatrical, 
         you know. Pestilence here, a plague there. Omnipotence 
				 ...gotta get me some of that.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050125/43f2fc5f/attachment.sig>


More information about the Snort-sigs mailing list