AWStats configdir parameter command execution

Added: 02/14/2006
CVE: CVE-2005-0116
BID: 12298
OSVDB: 13002

Background

AWStats is a web application for showing web, FTP, and mail server statistics.

Problem

Insufficient validation of the configdir parameter before being used in a PERL open call leads to remote command execution.

Resolution

Upgrade to AWStats 6.3 or higher.

References

http://www.idefense.com/intelligence/vulnerabilities/display.php?id=185&type=vulnerabilities

Limitations

Exploit works on AWStats 6.2 on Linux.
Back to exploit index