| VID |
21530 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The AWStats software appears to be vulnerable to multiple vulnerabilities. AWStats is a freely available log analyzer that collects and graphically displays statistics from web, FTP, and mail servers. AWStats versions 6.4 and earlier are vulnerable to multiple information disclosure and remote command execution vulnerabilities as follows:
- The awstats.pl script in AWStats 6.4 and earlier allow remote attackers to execute arbitrary commands via shell metacharacters in the pluginmode, loadplugin, or noloadplugin parameters.
- The awstats.pl script in AWStats 6.3 and 6.4 allows remote attackers to read server web logs by setting the loadplugin and pluginmode parameters to rawlog.
* References:
http://www.securityfocus.com/archive/1/390368
http://www.securiteam.com/unixfocus/5IP0E20EUU.html
http://www.securityfocus.com/archive/1/390368
http://www.kb.cert.org/vuls/id/259785
http://packetstorm.linuxsecurity.com/0501-exploits/AWStatsVulnAnalysis.pdf
http://secunia.com/advisories/14299/
http://marc.theaimsgroup.com/?l=bugtraq&m=110840530924124&w=2
* Platforms Affected:
AWStats versions 6.4 and earlier
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of AWStats (6.5 or later), available from the AWStats Download Web page at http://awstats.sourceforge.net/#DOWNLOAD
For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest version of awstats (4.0-0.woody.2 or later), as listed in Debian Security Advisory DSA-682-1 at http://www.debian.org/security/2005/dsa-682
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2005-0362,CVE-2005-0363,CVE-2005-0435 (CVE) |
| Related URL |
12545,12543 (SecurityFocus) |
| Related URL |
19058,19333,19339 (ISS) |
|
