[Pkg-awstats-devel] Bug#353932: machine compromised with
awstats.pl?configdir
Charles Fry
debian at frogcircus.org
Mon Mar 6 15:29:08 UTC 2006
> > Someone was able to install zbind on my machine using the following scripts.
> > The damage was limited to www-data, a restricted user, and logs were able
> > to monitor behaviour, but posed a large threat.
> <snip>
>
> I notice that the attacker tried a number of different URLs. Is it
> possible that there was a second version of awstats installed, aside
> from the packaged version, and that that was vulnerable to the configdir
> exploit?
He uses all of the following paths, with the indicated response code:
/awstats/awstats.pl: 404
/cgi-bin/awstats.pl: 200
/cgi-bin/awstats/awstats.pl: 404
The second one appears to have been the one that succeeded, and that is
indeed the location of the Debian-installed awstats script (assuming
that there was no custom apache configuration or virtual hosts or user
directories to modify cgi-bin).
But I tend to agree with you that there may have been a custom installed
script available at that location that was vulnerable.
Charles
--
To a substitute
He gave a trial
It took off
Nothing
But his smile
Burma-Shave
http://burma-shave.org/jingles/1945/to_a_substitute
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-awstats-devel/attachments/20060306/e4219d29/attachment.pgp
More information about the Pkg-awstats-devel
mailing list