Bug 165812 - AWStats ShowInfoURL Remote Command Execution Vulnerability
AWStats ShowInfoURL Remote Command Execution Vulnerability
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: awstats (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Aurelien Bompard
Fedora Extras Quality Assurance
http://www.idefense.com/application/p...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-12 10:42 EDT by Alexander Dalloz
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 6.5-0.1.050822
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-22 06:21:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alexander Dalloz 2005-08-12 10:42:34 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.8) Gecko/20050603 Fedora/1.7.8-1.2.1.legacy

Description of problem:
Successful exploitation results in the execution of arbitrary commands
with permissions of the web service. Exploitation will not occur until
the stats page has been regenerated with the tainted referrer values
from the http access log. Note that AWStats is only vulnerable in
situations where at least one URLPlugin is enabled.

Version-Release number of selected component (if applicable):
awstats-6.4-1.fc4

How reproducible:
Always

Steps to Reproduce:
please see iDefense Security Advisory for details

Additional info:
Comment 1 Aurelien Bompard 2005-08-22 06:21:49 EDT
I've updated to 6.5 (still beta, will update again on release) which fixes this
issue.
Thanks for the report

Note You need to log in before you can comment on or make changes to this bug.