awstats vulnerability

2006-06-0800:00:00

ubuntu.com

7.3 High

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

0.012 Low

EPSS

Percentile

85.4%

JSON

Releases

Ubuntu 6.06
Ubuntu 5.10
Ubuntu 5.04

Details

Hendrik Weimer discovered a privilege escalation vulnerability in
awstats. By supplying the ‘configdir’ CGI parameter and setting it to
an attacker-controlled directory (such as an FTP account, /tmp, or
similar), an attacker could execute arbitrary shell commands with the
privileges of the web server (user ‘www-data’).

This update disables the ‘configdir’ parameter by default. If all
local user accounts can be trusted, it can be reenabled by running
awstats with the AWSTATS_ENABLE_CONFIG_DIR environment variable set to
a nonempty value.

OSVersionArchitecturePackageVersionFilename
Ubuntu6.06noarchawstats< 6.5-1ubuntu1.1UNKNOWN
Ubuntu5.10noarchawstats< 6.4-1ubuntu1.2UNKNOWN
Ubuntu5.04noarchawstats< 6.3-1ubuntu0.3UNKNOWN