The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

awstats vulnerability

Discussion in 'General Discussion' started by Jeewhizz, Feb 4, 2005.

  1. Jeewhizz

    Jeewhizz Well-Known Member

    Joined:
    Mar 12, 2003
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    London, England
    taken from http://awstats.sourceforge.net/

    Just letting you all know :)
     
  2. mindshift

    mindshift Member

    Joined:
    Jun 26, 2002
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
  3. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    The default setup of awstats on cpanel has:

    AllowToUpdateStatsFromBrowser=0

    However, an upgrade would be nice.
     
  4. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    This has already been fixed in current and edge if you take a look at the changelog.
     
  5. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Hmmm... I'm set up for automatic updates, and I'm on Current 52. Yet I was able to get a directory listing by editing the awstats URL like:

    https://server10.mydomain.com:2083/awstats.pl?config=mycustomersdomain.com&pluginmode=:system("/bin/ls");

    I added on the &pluginmode=:system("/bin/ls"); per the exploit paper that is on the net.

    What I got returned to me when I issued that command was the expected directory listing.

    Is this normal, even with a properly patched awstats?

    I realize that most customers have their awstats password protected... so maybe I shouldn't worry? :)

    - Scott
     
  6. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    No, that's not good, if you can run that command you can run other commands that are more dangerous.

    That line doesn't work on my manually patched awstats, so I can only assume that yours isn't patched.

    While I'm fairly sure that cpanel servers aren't vulnerable to a remote exploit (by just anyone), local users and anyone who can login to cpanel can exploit this. But it's highly recommended to fix it... it may only be a matter of time before someone figures out some way to remotely hack it... or it may be another step on the way to for a hacker within your system getting root.
     
    #6 dezignguy, Feb 7, 2005
    Last edited: Feb 7, 2005
  7. bking

    bking Well-Known Member

    Joined:
    Mar 1, 2004
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney
    I am using Current 52 and am still able to execute commands from the address bar...
     
  8. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I manually patched it a week ago, but didn't check if it actually fixed the issue. Just tried it, and I can still execute commands...
    I don't see what I'm missing here, there is only 1 awstats.pl (and 1 symlink), so I can't be patching the wrong file :)
    I just unchecked 'Allow users to update Awstats from cPanel' but it still shows an "Update now" link in Cpanel.

    EDIT: I took a closer look at the idefense patch and it seems it is only for exploits using the configdir command, so it doesn't stop the other types of exploits like the one mentioned in this thread.

    Adding this seemed to work for the exploit mentioned in this thread, I don't know if there are other versions going around though:

    Code:
            if ($QueryString =~ /pluginmode=([^&]+)/i)
            {
            $PluginMode=&DecodeEncodedString("$1");
            $PluginMode=~tr/a-z0-9_\-\/\./a-z0-9_\-\/\./cd;
            }
    
    
     
    #8 jamesbond, Feb 7, 2005
    Last edited: Feb 7, 2005
  9. AlexAT

    AlexAT Well-Known Member
    PartnerNOC

    Joined:
    May 23, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ukraine
    cPanel Access Level:
    Root Administrator
    It is security risk!

    When there will be release for RELEASE and STABLE?
     
  10. Rubas

    Rubas Well-Known Member

    Joined:
    Sep 15, 2003
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    Don't worry, the script is running under the account of the client and it is protected by the cpanel auth.

    https://domain.com:2083/awstats.pl?config=domain.com&lang=en&pluginmode=:system(%22id%22);
     
  11. Escaflowne

    Escaflowne Active Member

    Joined:
    May 5, 2004
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    PL
    Running cPanel 9.9.8-S14 on FreeBSD.

    How to manually update CPanel?
     
  12. fusioncroc

    fusioncroc Well-Known Member

    Joined:
    Sep 28, 2004
    Messages:
    261
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    U.K.
    Well people with a cpanel account could comprimise the server this way
     
  13. Shane_F

    Shane_F Member

    Joined:
    Jan 21, 2005
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    6.3 is out. I wonder if they will update accross all versions/ I been running 6.3 since development and I am going to upgrade to 6.3 stable later tonight.
     
  14. fuzioneer

    fuzioneer Well-Known Member

    Joined:
    Dec 12, 2003
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    so the question is, how do we manually override and install the latest version of Awstats to 6.3 and it still be integrated into cpanel ok ?
     
  15. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:

    C52 here as well. Using this URL logged in as a user, what I get back is this;
    (numbers and name changed)

     
  16. Rubas

    Rubas Well-Known Member

    Joined:
    Sep 15, 2003
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    Please reread this, because there is actually no security issue with the cpanel installation of awstats.

     
  17. cyanide

    cyanide Well-Known Member

    Joined:
    Aug 11, 2003
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Toronto, Canada
    If you upgrade to Current 82, Awstats has been upgraded to 6.3
     
  18. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    There is a security issue because your cpanel users can possibly do things they aren't supposed to and perhaps even get root. While your users are a bit more trusted than just anyone out on the net, you still restrict their priviledges, don't you?

    But it's been fixed, so if you update - you don't have to worry about it.
     
  19. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    How about the stable or release build is there a fix in these?
     
  20. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    I'm running release 85 and it has the fix afaik.
     
Loading...

Share This Page