FreeBSD Local Security Checks : FreeBSD Ports: awstats

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.52186

Category: FreeBSD Local Security Checks

Title: FreeBSD Ports: awstats

Summary: The remote host is missing an update to the system; as announced in the referenced advisory.

Description: Summary:
The remote host is missing an update to the system
as announced in the referenced advisory.

Vulnerability Insight:
The following package is affected: awstats

CVE-2005-0362
awstats.pl in AWStats 6.2 allows remote attackers to execute arbitrary
commands via shell metacharacters in the (1) 'pluginmode', (2)
'loadplugin', or (3) 'noloadplugin' parameters.

CVE-2005-0363
awstats.pl in AWStats 4.0 and 6.2 allows remote attackers to execute
arbitrary commands via shell metacharacters in the config parameter.

CVE-2005-0435
awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to read
server web logs by setting the loadplugin and pluginmode parameters to
rawlog.

CVE-2005-0436
Direct code injection vulnerability in awstats.pl in AWStats 6.3 and
6.4 allows remote attackers to execute portions of Perl code via the
PluginMode parameter.

CVE-2005-0437
Directory traversal vulnerability in awstats.pl in AWStats 6.3 and 6.4
allows remote attackers to include arbitrary Perl modules via .. (dot
dot) sequences in the loadplugin parameter.

CVE-2005-0438
awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to obtain
sensitive information by setting the debug parameter.

Solution:
Update your system with the appropriate patches or
software upgrades.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2005-0362
http://www.osvdb.org/16089
Common Vulnerability Exposure (CVE) ID: CVE-2005-0363
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488
Debian Security Information: DSA-682 (Google Search)
http://www.debian.org/security/2005/dsa-682
Common Vulnerability Exposure (CVE) ID: CVE-2005-0435
Bugtraq: 20050214 AWStats <= 6.4 Multiple vulnerabilities (Google Search)
http://www.securityfocus.com/archive/1/390368
http://secunia.com/advisories/14299
XForce ISS Database: awstats-awstatpl-obtain-information(19333)
https://exchange.xforce.ibmcloud.com/vulnerabilities/19333
Common Vulnerability Exposure (CVE) ID: CVE-2005-0436
http://www.osvdb.org/13832
XForce ISS Database: awstats-function-code-execution(19336)
https://exchange.xforce.ibmcloud.com/vulnerabilities/19336
Common Vulnerability Exposure (CVE) ID: CVE-2005-0437
Common Vulnerability Exposure (CVE) ID: CVE-2005-0438
XForce ISS Database: awstats-information-disclosure(19477)
https://exchange.xforce.ibmcloud.com/vulnerabilities/19477

Copyright Copyright (C) 2008 E-Soft Inc.

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.52186
Category:	FreeBSD Local Security Checks
Title:	FreeBSD Ports: awstats
Summary:	The remote host is missing an update to the system; as announced in the referenced advisory.
Description:	Summary: The remote host is missing an update to the system as announced in the referenced advisory. Vulnerability Insight: The following package is affected: awstats CVE-2005-0362 awstats.pl in AWStats 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) 'pluginmode', (2) 'loadplugin', or (3) 'noloadplugin' parameters. CVE-2005-0363 awstats.pl in AWStats 4.0 and 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the config parameter. CVE-2005-0435 awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to read server web logs by setting the loadplugin and pluginmode parameters to rawlog. CVE-2005-0436 Direct code injection vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to execute portions of Perl code via the PluginMode parameter. CVE-2005-0437 Directory traversal vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to include arbitrary Perl modules via .. (dot dot) sequences in the loadplugin parameter. CVE-2005-0438 awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to obtain sensitive information by setting the debug parameter. Solution: Update your system with the appropriate patches or software upgrades. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2005-0362 http://www.osvdb.org/16089 Common Vulnerability Exposure (CVE) ID: CVE-2005-0363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488 Debian Security Information: DSA-682 (Google Search) http://www.debian.org/security/2005/dsa-682 Common Vulnerability Exposure (CVE) ID: CVE-2005-0435 Bugtraq: 20050214 AWStats <= 6.4 Multiple vulnerabilities (Google Search) http://www.securityfocus.com/archive/1/390368 http://secunia.com/advisories/14299 XForce ISS Database: awstats-awstatpl-obtain-information(19333) https://exchange.xforce.ibmcloud.com/vulnerabilities/19333 Common Vulnerability Exposure (CVE) ID: CVE-2005-0436 http://www.osvdb.org/13832 XForce ISS Database: awstats-function-code-execution(19336) https://exchange.xforce.ibmcloud.com/vulnerabilities/19336 Common Vulnerability Exposure (CVE) ID: CVE-2005-0437 Common Vulnerability Exposure (CVE) ID: CVE-2005-0438 XForce ISS Database: awstats-information-disclosure(19477) https://exchange.xforce.ibmcloud.com/vulnerabilities/19477
Copyright	Copyright (C) 2008 E-Soft Inc.