: Security Bulletin TYPO3-20050812-1

Categories: Security Created by Karsten Dambekalns
Possible remote exploit with AWStats. The TYPO3 Security Team has issued a security bulletin which explains and fixes a possible problem with extensions shipping AWStats.

Component Type: Extension
Affected Component: cc_awstats (and possibly others)
Version: 0.9.0 and earlier
Vulnerability Type: Remote Exploit
Severity: Medium

Problem Description:
Remote exploitation of an input validation vulnerability in AWStats allows remote attackers to execute arbitrary commands. Successful exploitation results in the execution of arbitrary commands with permissions of the web service. This may compromise systems using extensions providing AWStats.

Exploitation will not occur until the stats page has been regenerated with the tainted referrer values from the http access log. Note that AWStats is only vulnerable in situations where at least one URLPlugin is enabled.

The extension authors opinion is that in normal circumstances the extension is not affected by these security issues. For more information have a look in the section ?security? of the extension manual.

Solution:

An updated version (0.10.0) of the extension can be found on typo3.org/extensions/repository/list/cc_awstats/ or via Extension Manager. All users of this extension are advised to immediatly update this extension.

References:
http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities&flashstatus=true

Other possibly affected extensions:

There are two further extensions shipping (outdated) versions of AWStats, namely Individual AW Stats (ind_cc_awstats) and Galileo Awstats (galileo_awstats). The latter is considered to pose a high risk! The authors of the mentioned extensions have been contacted by the TYPO3 security team.

Credits:

Thanks to Jochen Weiland for notifying us and to René Fritz for investigating the issue and immediately updating the extension