TYPO3 Security Bulletin

Remote exploitation of an input validation vulnerability in AWStats allows remote attackers to execute arbitrary commands. Successful exploitation results in the execution of arbitrary commands with permissions of the web service. This may compromise systems using extensions providing AWStats.

Component Type: Third Party Extension. This extension is third party code that has not been submitted to the TYPO3 extension review process yet. The extension is not part of TYPO3 default installations.

Affected Component: cc_awstats (and possibly other AWStats-based extensions)

Version: 0.9.0 and earlier
Vulnerability Type: Remote Exploit
Severity: Medium

Problem Description:
Remote exploitation of an input validation vulnerability in AWStats allows remote attackers to execute arbitrary commands. Successful exploitation results in the execution of arbitrary commands with permissions of the web service. This may compromise systems using extensions providing AWStats.

Exploitation will not occur until the stats page has been regenerated with the tainted referrer values from the http access log. Note that AWStats is only vulnerable in situations where at least one URLPlugin is enabled.

The extension authors opinion is that in normal circumstances the extension is not affected by these security issues. For more information have a look in the section “security” of the extension manual.

Solution:
An updated version (0.10.0) of the extension can be found on typo3.org/extensions/repository/list/cc_awstats/ or via Extension Manager. All users of this extension are advised to immediatly update this extension.

References:
http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities&flashstatus=true

Other possibly affected extensions:
There are two further extensions shipping (outdated) versions of AWStats, namely Individual AW Stats (ind_cc_awstats) and Galileo Awstats (galileo_awstats). The latter is considered to pose a high risk! The authors of the mentioned extensions have been contacted by the TYPO3 security team.

Credits:
Thanks to Jochen Weiland for notifying us and to René Fritz for investigating the issue and immediately updating the extension.