[Pkg-awstats-devel] Bug#365910: AWStats: Malicious config file
shell code injection
Hendrik Weimer
hendrik at enyo.de
Wed May 3 17:11:18 UTC 2006
Package: awstats
Version: 6.5-1
Severity: important
Tags: security
Source: http://www.osreviews.net/reviews/comm/awstats
| Arbitrary code can be executed by uploading a specially crafted
| configuration file if an attacker can put a file on the server with
| chosen file name and content (e.g. by using an FTP account on a
| shared hosting server). In this configuration file, the LogFile
| directive can be used to execute shell code following a pipe
| character. As above, an open call on unsanitized input is the source
| of this vulnerability.
More information about the Pkg-awstats-devel
mailing list