OSVDB ID: 13002

Title: AWStats awstats.pl configdir Parameter Arbitrary Command Execution

Info

Disclosure

Jan 01, 2005

Discovery

Unknown

Dates

Exploit

Jan 26, 2005

Solution

Unknown

Description

AWStats contains a flaw that may allow a malicious user to issue arbitray commands under the web server privileges. The issue is triggered when using the pipe character (|) and shell metacaracters in the 'configdir' variable of the awstats.pl script. Such input is not santitized before being passed to the perl 'open()' command to be executed.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Public, Exploit Commercial
Disclosure: Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 6.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Laurent Destailleur

AWStats

6.1

References

Credit

  • iDefense - iDefense


Direct URL: http://osvdb.org/13002