Vulnerabilities > CVE-2006-2644 - Remote Arbitrary Command Execution vulnerability in Awstats 6.41/6.5/6.51
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
AWStats 6.5, and possibly other versions, allows remote authenticated users to execute arbitrary code by using the configdir parameter to awstats.pl to upload a configuration file whose name contains shell metacharacters, then access that file using the LogFile directive.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1075.NASL description Hendrik Weimer discovered that awstats can execute arbitrary commands under the user id the web-server runs when users are allowed to supply arbitrary configuration files. Even though, this bug was referenced in DSA 1058 accidentally, it was not fixed yet. The new default behaviour is not to accept arbitrary configuration directories from the user. This can be overwritten by the AWSTATS_ENABLE_CONFIG_DIR environment variable when users are to be trusted. The old stable distribution (woody) does not seem to be affected by this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 22617 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22617 title Debian DSA-1075-1 : awstats - programming error code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1075. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22617); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2006-2644"); script_xref(name:"DSA", value:"1075"); script_name(english:"Debian DSA-1075-1 : awstats - programming error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Hendrik Weimer discovered that awstats can execute arbitrary commands under the user id the web-server runs when users are allowed to supply arbitrary configuration files. Even though, this bug was referenced in DSA 1058 accidentally, it was not fixed yet. The new default behaviour is not to accept arbitrary configuration directories from the user. This can be overwritten by the AWSTATS_ENABLE_CONFIG_DIR environment variable when users are to be trusted. The old stable distribution (woody) does not seem to be affected by this problem." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=365910" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1075" ); script_set_attribute( attribute:"solution", value: "Upgrade the awstats package. For the stable distribution (sarge) this problem has been fixed in version 6.4-1sarge3." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:awstats"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/05/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"awstats", reference:"6.4-1sarge3")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_033.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:033 (awstats). This update fixes remote code execution vulnerabilities in the WWW statistical analyzer awstats. Since back porting awstats fixes is error prone we have upgraded it to upstream version 6.6 which also includes new features. Following security issues were fixed: - CVE-2006-2237: missing sanitizing of the last seen 2019-10-28 modified 2007-02-18 plugin id 24414 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24414 title SUSE-SA:2006:033: awstats code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:033 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(24414); script_version ("1.9"); name["english"] = "SUSE-SA:2006:033: awstats"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2006:033 (awstats). This update fixes remote code execution vulnerabilities in the WWW statistical analyzer awstats. Since back porting awstats fixes is error prone we have upgraded it to upstream version 6.6 which also includes new features. Following security issues were fixed: - CVE-2006-2237: missing sanitizing of the 'migrate' parameter. #173041 - CVE-2006-2644: missing sanitizing of the 'configdir' parameter. #173041 - Make sure open() only opens files for read/write by adding explicit < and >." ); script_set_attribute(attribute:"solution", value: "http://www.novell.com/linux/security/advisories/2006_33_awstats.html" ); script_set_attribute(attribute:"risk_factor", value:"High" ); script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/18"); script_end_attributes(); summary["english"] = "Check for the version of the awstats package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"awstats-6.6-0.1", release:"SUSE10.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"awstats-6.6-0.1", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"awstats-6.6-0.1", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"awstats-6.6-0.1", release:"SUSE9.3") ) { security_hole(0); exit(0); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-290-1.NASL description Hendrik Weimer discovered a privilege escalation vulnerability in awstats. By supplying the last seen 2020-06-01 modified 2020-06-02 plugin id 27862 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27862 title Ubuntu 5.04 / 5.10 / 6.06 LTS : awstats vulnerability (USN-290-1) NASL family SuSE Local Security Checks NASL id SUSE_AWSTATS-1612.NASL description This update fixes remote code execution vulnerabilities in awstats. Since backporting awstats fixes is error prone we have upgraded it to upstream version 6.6, which also includes new features. Security issues fixed: - CVE-2006-2237: missing sanitizing of the last seen 2020-06-01 modified 2020-06-02 plugin id 27163 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27163 title openSUSE 10 Security Update : awstats (awstats-1612)
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=365910
- http://secunia.com/advisories/20164
- http://secunia.com/advisories/20283
- http://secunia.com/advisories/20502
- http://secunia.com/advisories/20710
- http://www.debian.org/security/2006/dsa-1075
- http://www.novell.com/linux/security/advisories/2006_33_awstats.html
- http://www.osreviews.net/reviews/comm/awstats
- http://www.securityfocus.com/bid/18327
- http://www.vupen.com/english/advisories/2006/1998
- https://usn.ubuntu.com/290-1/