Check Point Advisories

Update Protection against AWStats Remote Command Execution Vulnerability

Check Point Reference: CPAI-2006-078
Date Published: 5 Jul 2006
Severity: Medium
Last Updated: Tuesday 15 May, 2007
Source: iDEFENSE
Industry Reference:CVE-2005-0116
Protection Provided by:
Who is Vulnerable? AWStats 6.1, and other versions before 6.3
Vulnerability Description AWStats is a free tool that collects and graphically displays advanced web, ftp or mail server statistics. Lack of input validation on one of the parameters may allow an attacker to compromise a vulnerable server. Successful exploitation allows remote attackers to execute arbitrary commands under the privileges of the web server.
Vulnerability StatusAccording to public reports this vulnerability is being actively exploited.
Update/Patch AvaliableUpdate to version 6.3.
http://awstats.sourceforge.net/#DOWNLOAD
Vulnerability DetailsThe flaw is due to improper validation of input passed to the "configdir" parameter before being used as an argument to the "open()" Perl routine. This can be exploited to execute arbitrary commands by passing these as input together with other characters.

Protection Overview

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK