Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Advisory: Awstats official workaround flaw
From: Maximillian Dornseif <dornseif () informatik rwth-aachen de>
Date: Mon, 14 Feb 2005 21:05:58 +0100

               Advisory: Awstats official workaround flaw

A group of students at our lab called RedTeam found a flaw in the official workaround for the remote command
execution vulnerability in awstats discovered by iDefense.


Product: Awstats
Affected Version: <= 6.2
Immune Version: 6.3
OS affected: all
Security-Risk: high
Remote-Exploit: yes
Vendor-URL: http://awstats.sourceforge.net
Vendor-Status: informed
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 -006
Advisory-Status: public


iDefense found a remote command execution vulnerability in awstats <=
6.2, see CAN-2005-0116.

The official awstats website tells users that they are safe from remote
command execution if they set the variable
$!AllowToUpdateStatsFromBrowser to 0. This is not true, as the exploit
can still be triggered.

More Details

In awstats.pl the variable $configdir, which is used to exploit, can
still be set remotely. Setting $!AllowToUpdateStatsFromBrowser to 0
only removes the link to the button which can be used to trigger
updates. The variable can still be assigned per GET request.

Proof of Concept

http://path/to/awstats/awstats.pl?configdir=|cd%20/ tmp;%20touch%20evilfile;


Use the workaround provided by iDefense. See their advisory for the
original vulnerability.


Fixed in version 6.3.

Security Risk

High, as arbitrary commands can be executed on the vulnerable system.


2005-02-12 eldy () users sourceforge net informed
2005-02-12 CVE number requested
2005-02-14 issue does not qualify for a CVE number. posted.


RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find
more Information on the RedTeam Project at

Maximillian Dornseif, Dipl. Jur., CISSP
Laboratory for Dependable Distributed Systems, RWTH Aachen University
Tel. +49 241 80-21431 - http://md.hudora.de/

Attachment: smime.p7s

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • Advisory: Awstats official workaround flaw Maximillian Dornseif (Feb 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]