| VID |
21528 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The AWStats Rawlog Plugin is vulnerable to an input validation vulnerability in the 'logfile' parameter. AWStats is a freely available log analyzer that collects and graphically displays statistics from web, FTP, and mail servers. AWStats version 6.1 and possible other versions are vulnerable to an input validation vulnerability. This vulnerability is reported to exist because user supplied 'logfile' URI data passed to the 'awstats.pl' script is not sanitized. A remote attacker may exploit this vulnerability to execute arbitrary commands or disclose contents of web server readable files.
* References:
http://www.securitytracker.com/alerts/2004/Aug/1010993.html
* Platforms Affected:
AWStats version 6.1 and possible other versions
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of AWStats (6.4 or later), available from the AWStats Download Web page at http://awstats.sourceforge.net/#DOWNLOAD
For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest version of awstats (4.0-0.woody.2 or later), as listed in Debian Security Advisory DSA-682-1 at http://www.debian.org/security/2005/dsa-682
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
(CVE) |
| Related URL |
10950,12572 (SecurityFocus) |
| Related URL |
17049 (ISS) |
|
