Published February 3rd, 2005 by Jim O'Halloran
AwStatus Vulnerability
Note to self: Upgrade awstats. This is why:
AwStats exploit by Thunder, molnar_rcs@yahoo.com
This exploit makes use of the remote command execution bug discovered in
AwStats ver 6.2 and below. The bug resides in the awstats.pl perl script.
The script does not sanitise correctly the user input for the
`configdir` parameter. If the users sends a command prefixed and postfixed
with | , the command will be executed.
It appears this exploit is in active use, its already affected Jeremy and Russell. Looks like my box was also probed for the vulnerability over the weekend.
82.174.146.210 - - [30/Jan/2005:07:52:28 +101800] “GET /awstats/awstats.pl?configdir=|echo;uname%20-a;w;id;pwd| HTTP/1.1″ 404 405 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)”
They didn’t find awstats (it was on a different vhost). Until I can upgrade awstats requires authentication, which should keep anyone away from it in the interim. If you use an awstats earlier than 6.3, you need to be aware of this.