[Pkg-awstats-devel] Bug#365910: AWStats: Malicious config file shell code injection

Hendrik Weimer hendrik at enyo.de
Wed May 3 17:11:18 UTC 2006


Package: awstats
Version: 6.5-1
Severity: important
Tags: security

Source: http://www.osreviews.net/reviews/comm/awstats

| Arbitrary code can be executed by uploading a specially crafted
| configuration file if an attacker can put a file on the server with
| chosen file name and content (e.g. by using an FTP account on a
| shared hosting server). In this configuration file, the LogFile
| directive can be used to execute shell code following a pipe
| character. As above, an open call on unsanitized input is the source
| of this vulnerability.




More information about the Pkg-awstats-devel mailing list