Search:

February 2005

AusCERT Update AU-2005.0005 - AWStats remote command execution vulnerability actively exploited in wild 9 February 2005

ID: 00115
Ref: 99/2005
Date: 09 February 2005:14:50:51
Version: 1

Title: AusCERT Update AU-2005.0005 - AWStats remote command execution vulnerability actively exploited in wild 9 February 2005
Abstract:
Vendors affected: AusCERT
Operating systems affected: AusCERT
Applications affected: AusCERT

Title
=====

AusCERT Update AU-2005.0005 - AWStats remote command execution vulnerability
actively exploited in wild 9 February 2005

Detail
======

A number of high-profile sites have been reported to be compromised using
this technique [1]. According to some reports [2], web server operators will
typically see requests for awstats.pl in their web server logs with system
commands passed in via GET parameters. These may include commands such as 'id',
allowing an attacker to determine the user context that the web server
software is running as before running further commands.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AusCERT Update AU-2005.0005 - AWStats remote command execution vulnerability
actively exploited in wild 9 February 2005

AusCERT Update Summary
----------------------

Product: AWStats
Operating System: BSD variants
Linux variants
UNIX variants
Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated

AusCERT has seen reports of exploits in the wild for the vulnerability
described in AusCERT ESB-2005.0049, 'AWStats Remote Command Execution
Vulnerability'.

A number of high-profile sites have been reported to be compromised using
this technique [1]. According to some reports [2], web server operators will
typically see requests for awstats.pl in their web server logs with system
commands passed in via GET parameters. These may include commands such as 'id',
allowing an attacker to determine the user context that the web server
software is running as before running further commands.

There is no solid evidence as yet that these attacks were automated, but it is
likely that this would be possible now or at a future point, possibly using
internet search engines to aid scanning for vulnerable sites. AusCERT again
advises all AWStats users to upgrade to the latest version of this software.

[1] http://www.viruslist.com/en/weblog?weblogid=158948637
[2] http://isc.sans.org/diary.php?date=2005-01-31

AusCERT has made every effort to ensure that the information contained in
this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision
to follow or act on information or advice contained in this security bulletin
is the responsibility of each user or organisation, and should be considered
in accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:

http://www.auscert.org.au/render.html?it=3192

iQCVAwUBQgmplCh9+71yA2DNAQJ4GgQAkDufhOnHmM20OHbQi7UdKxM+hTZcuUDf
yBdmxidhwg2I4+KfbhHxi0N2odxpQu3X5QLk37fczbdr4FkXTO602r+HtvU8BrT+
xxrPG7tI0LqRr20ywUlijTsVW7m8X0SBZ55FI4TQoKt38fzOiC/xVn4fNBYbR2L6
bLVZDitP1WQ=
=54sW
- -----END PGP SIGNATURE-----