Check Point Advisories

Update Protection against AWStats Remote Command Execution Vulnerability

Check Point Reference: CPAI-2006-078
Date Published: 5 Jul 2006
Severity: Medium
Last Updated: 15 May 2007
Source: iDEFENSE
Industry Reference:CVE-2005-0116
Protection Provided by:
Who is Vulnerable? AWStats 6.1, and other versions before 6.3
Vulnerability Description AWStats is a free tool that collects and graphically displays advanced web, ftp or mail server statistics. Lack of input validation on one of the parameters may allow an attacker to compromise a vulnerable server. Successful exploitation allows remote attackers to execute arbitrary commands under the privileges of the web server.
Vulnerability StatusAccording to public reports this vulnerability is being actively exploited.
Update/Patch AvaliableUpdate to version 6.3.
http://awstats.sourceforge.net/#DOWNLOAD
Vulnerability DetailsThe flaw is due to improper validation of input passed to the "configdir" parameter before being used as an argument to the "open()" Perl routine. This can be exploited to execute arbitrary commands by passing these as input together with other characters.

Protection Overview

This website uses cookies to ensure you get the best experience. More Info Got it, Thanks!