ID CVE-2006-2644
Summary AWStats 6.5, and possibly other versions, allows remote authenticated users to execute arbitrary code by using the configdir parameter to awstats.pl to upload a configuration file whose name contains shell metacharacters, then access that file using the LogFile directive.
References
Vulnerable Configurations
  • cpe:2.3:a:awstats:awstats:6.4_1:sarge1
    cpe:2.3:a:awstats:awstats:6.4_1:sarge1
  • cpe:2.3:a:awstats:awstats:6.5
    cpe:2.3:a:awstats:awstats:6.5
  • cpe:2.3:a:awstats:awstats:6.5_1
    cpe:2.3:a:awstats:awstats:6.5_1
CVSS
Base: 4.0 (as of 30-05-2006 - 11:53)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1075.NASL
    description Hendrik Weimer discovered that awstats can execute arbitrary commands under the user id the web-server runs when users are allowed to supply arbitrary configuration files. Even though, this bug was referenced in DSA 1058 accidentally, it was not fixed yet. The new default behaviour is not to accept arbitrary configuration directories from the user. This can be overwritten by the AWSTATS_ENABLE_CONFIG_DIR environment variable when users are to be trusted. The old stable distribution (woody) does not seem to be affected by this problem.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22617
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22617
    title Debian DSA-1075-1 : awstats - programming error
  • NASL family SuSE Local Security Checks
    NASL id SUSE_AWSTATS-1612.NASL
    description This update fixes remote code execution vulnerabilities in awstats. Since backporting awstats fixes is error prone we have upgraded it to upstream version 6.6, which also includes new features. Security issues fixed: - CVE-2006-2237: missing sanitizing of the 'migrate' parameter. #173041 - CVE-2006-2644: missing sanitizing of the 'configdir' parameter. #173041 - Make sure open() only opens files for read/write by adding explicit < and >.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27163
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27163
    title openSUSE 10 Security Update : awstats (awstats-1612)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-290-1.NASL
    description Hendrik Weimer discovered a privilege escalation vulnerability in awstats. By supplying the 'configdir' CGI parameter and setting it to an attacker-controlled directory (such as an FTP account, /tmp, or similar), an attacker could execute arbitrary shell commands with the privileges of the web server (user 'www-data'). This update disables the 'configdir' parameter by default. If all local user accounts can be trusted, it can be reenabled by running awstats with the AWSTATS_ENABLE_CONFIG_DIR environment variable set to a nonempty value. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27862
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27862
    title Ubuntu 5.04 / 5.10 / 6.06 LTS : awstats vulnerability (USN-290-1)
refmap via4
bid 18327
confirm http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=365910
debian DSA-1075
misc http://www.osreviews.net/reviews/comm/awstats
secunia
  • 20164
  • 20283
  • 20502
  • 20710
suse SUSE-SA:2006:033
ubuntu USN-290-1
vupen ADV-2006-1998
Last major update 07-03-2011 - 21:36
Published 30-05-2006 - 06:02
Last modified 03-10-2018 - 17:41
Back to Top