AWStats migrate parameter command injection

Added: 05/11/2006
CVE: CVE-2006-2237
BID: 17844
OSVDB: 25284

Background

AWStats is a web application for showing web, FTP, and mail server statistics.

Problem

AWStats uses the value of the migrate input parameter in a PERL open call without sufficient checks for invalid characters, allowing remote command execution.

Resolution

Upgrade to AWStats 6.6 or higher, or disable the AllowToUpdateStatsFromBrowser option in the AWStats configuration file.

References

http://secunia.com/advisories/19969

Back to exploit index