AWStats configdir parameter command execution

2006-02-14T00:00:00
ID SAINT:360F60468A59D80DCB80536A374F945B
Type saint
Reporter SAINT Corporation
Modified 2006-02-14T00:00:00

Description

Added: 02/14/2006
CVE: CVE-2005-0116
BID: 12298
OSVDB: 13002

Background

AWStats is a web application for showing web, FTP, and mail server statistics.

Problem

Insufficient validation of the **configdir** parameter before being used in a PERL open call leads to remote command execution.

Resolution

Upgrade to AWStats 6.3 or higher.

References

http://www.idefense.com/intelligence/vulnerabilities/display.php?id=185&type=vulnerabilities

Limitations

Exploit works on AWStats 6.2 on Linux.