The script awstats.pl, which comes with awstats is vulnerable to specific urls (pipes in urls aren't parsed properly and commands are executed) http://sourceforge.net/tracker/index.php?func=detail&aid=1198578&group_id=13764&atid=113764 Reproducible: Always Steps to Reproduce: 1. Search a webserver running awstats. 2. Check if /cgi-bin/awstats.pl is accessable (the internal awstats-remote-ip-check doesn't work for this exploit...) 3. Add commands to the URL-parameter configdir=|echo;uname%20-a 4. Suprise Actual Results: If I take the url provided above, I'd see the output of uname -a and then the html-output of the awstats-script in text/plain Expected Results: It should have parsed the | out and other stuff to prevent execution of programs This exploit is currently used by a lot of spammers to upload and execute spam-scripts to webservers. Restricting the access to the cgi-bin with Allow,Deny-directives through apache is a workaround.
Aaron please advise.
This is the source of the exploit-shell. Not only the configdir-paramter is unsecure... changing the name of the cgi-bin is also a workaround. http://www.addict3d.org/index.php?page=viewarticle&type=security&ID=3397
Tested with both 6.3-r2 and 6.4 with the poc code[1], and by hand. We're clean. [1] http://www.frsirt.com/exploits/20050302.awstats_shell.c.php
Closing as INVALID. Feel free to reopen if you disagree.