Web application abuses : AWStats 'configdir' Parameter Arbitrary Command Execution Vulnerability

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.16189

Category: Web application abuses

Title: AWStats 'configdir' Parameter Arbitrary Command Execution Vulnerability

Summary: AWStats is prone to a command execution vulnerability.

Description: Summary:
AWStats is prone to a command execution vulnerability.

Vulnerability Insight:
The remote version of this software is prone to an input
validation vulnerability. The issue is reported to exist because user supplied 'configdir' URI
data passed to the 'awstats.pl' script is not sanitized.

Vulnerability Impact:
An attacker may exploit this condition to execute commands remotely or disclose
contents of web server readable files.

Solution:
Upgrade at least to version 6.3 of this software.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2005-0116
BugTraq ID: 12298
http://www.securityfocus.com/bid/12298
CERT/CC vulnerability note: VU#272296
http://www.kb.cert.org/vuls/id/272296
http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false
http://packetstormsecurity.org/0501-exploits/AWStatsVulnAnalysis.pdf
http://www.osvdb.org/13002
http://secunia.com/advisories/13893/

Copyright Copyright (C) 2005 David Maciejak

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.16189
Category:	Web application abuses
Title:	AWStats 'configdir' Parameter Arbitrary Command Execution Vulnerability
Summary:	AWStats is prone to a command execution vulnerability.
Description:	Summary: AWStats is prone to a command execution vulnerability. Vulnerability Insight: The remote version of this software is prone to an input validation vulnerability. The issue is reported to exist because user supplied 'configdir' URI data passed to the 'awstats.pl' script is not sanitized. Vulnerability Impact: An attacker may exploit this condition to execute commands remotely or disclose contents of web server readable files. Solution: Upgrade at least to version 6.3 of this software. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2005-0116 BugTraq ID: 12298 http://www.securityfocus.com/bid/12298 CERT/CC vulnerability note: VU#272296 http://www.kb.cert.org/vuls/id/272296 http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false http://packetstormsecurity.org/0501-exploits/AWStatsVulnAnalysis.pdf http://www.osvdb.org/13002 http://secunia.com/advisories/13893/
Copyright	Copyright (C) 2005 David Maciejak