| ||||||||||||||||||||||||||
awstats: command injection vulnerability
(Log in to post comments)
awstats: unsafe at any CGI speed? Posted Aug 18, 2005 23:13 UTC (Thu) by rickmoen (subscriber, #6943) [Link] I still have a very bad taste in my mouth from a AWstats security debacle in which the CGI failed to competently validate input from arbitrary remote locations on the URL line (fed via browsing HTTP sessions). I'll admit to having been lazy and getting caught napping on that: My server was root compromised via that (earlier) irritating coding bug, in late January '05.If I ever bother setting up the package again, it will be entirely using cronjob-driven refreshes of the AWstats Web pages, such that the apparently highly untrustworthy awstats.pl script doesn't need to go into any public or even semi-public cgi-bin directory. It's just not worth the headache. The developer's site gives some tips on how to do this, but I really honestly think the package should default to a non-CGI-based configuration unless/until the author cleans up his act re: input validation. (Sorry if the above seems a bit sour: Having had to endure an unplanned 22-hour server rebuild will do that to you.) Rick Moen
awstats: unsafe at any CGI speed? Posted Nov 11, 2005 19:29 UTC (Fri) by rickmoen (subscriber, #6943) [Link] Er, to correct the above: The intruder gets only httpd-level privilege through this and similar CGI bugs; host compromise would require separate escalation through some other exploit.
(My host was almost certainly not compromised: The IDSes and other checks showed no signs. However, I was a bit shocked that I'd been as careless as I'd been, and a rebuild was overdue, anyway.)
Rick Moen
|
||||||||||||||||||||||||||