Bug 165812

Summary: AWStats ShowInfoURL Remote Command Execution Vulnerability
Product: [Fedora] Fedora Reporter: Alexander Dalloz <alex>
Component: awstatsAssignee: Aurelien Bompard <gauret>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: extras-qa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities&flashstatus=true
Whiteboard:
Fixed In Version: 6.5-0.1.050822 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-22 10:21:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexander Dalloz 2005-08-12 14:42:34 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.8) Gecko/20050603 Fedora/1.7.8-1.2.1.legacy

Description of problem:
Successful exploitation results in the execution of arbitrary commands
with permissions of the web service. Exploitation will not occur until
the stats page has been regenerated with the tainted referrer values
from the http access log. Note that AWStats is only vulnerable in
situations where at least one URLPlugin is enabled.

Version-Release number of selected component (if applicable):
awstats-6.4-1.fc4

How reproducible:
Always

Steps to Reproduce:
please see iDefense Security Advisory for details

Additional info:
Comment 1 Aurelien Bompard 2005-08-22 10:21:49 UTC 
I've updated to 6.5 (still beta, will update again on release) which fixes this
issue.
Thanks for the report