Bug 2449785 (CVE-2025-63261)
| Summary: | CVE-2025-63261 AWStats: AWStats: Arbitrary code execution via command injection vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | rpm |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in AWStats. A remote attacker can exploit a command injection vulnerability through the `open` function, leading to arbitrary code execution on the affected system. This allows for a complete compromise of the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2450260, 2450261, 2450263 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-03-20 21:02:45 UTC
Per the vulnerability report, "To perform this exploit, an attacker must find a way to create or modify the “awstats.confˮ file with malicious content" (specifically, modifying DNSLastUpdateCacheFile to contain a malicious value and potentially changing the values of other, enabling, options) Unless I'm misunderstanding the vulnerability report, this is only really an issue if a user has write-access to awstats.conf, and that configuration file is subsequently used by a *different* user (for example, "root", or "apache") running awstats, thereby enabling code execution by that (second) user. Or if a user has the ability to modify an awstats.conf file (through a web interface, for example) but normally no ability to execute code on the target system as the user owning that file. This does not seem to be the default configuration in Fedora/EPEL; whilst AWStats may be executed as "root" or "apache", only the following folders (per /usr/local/awstats/wwwroot/cgi-bin/awstats.pl) are searched for awstats.conf, none of which are by default writeable by an untrusted user: /usr/local/awstats/wwwroot/cgi-bin /etc/awstats /usr/local/etc/awstats /etc/opt/awstats Additionally, /etc/cron.hourly/awstats explicitly uses /etc/awstats as the configuration directory So, whilst it would be beneficial for AWStats to prevent this abuse of a configuration file option, I can't immediately see a means to exploit it in the default Fedora/EPEL configuration. |