Tags | headline, privacy, data loss, spyware, facebook, social Favorite | View U.S. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.Lawsuit Claims Facebook Scraping Data From Hospital Sites Posted Aug 2, 2022 ( Request your free trial) Computer vulnerabilities tracking provides a network vulnerability workaround. rpmįull bulletin, software filtering, emails, fixes. However, unless its security record improves, AWStats should only be used to generate static content or on a private web server. Our aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them. To be honest, not everything is bad about AWStats. The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. p ub/suse/i3 86/update/ 9.3/rpm/no arch/awsta ts-6.6-0.1. Additionally, the developers claim that only one vulnerability has been found in the history of AWStats, which is simply not true. p ub/suse/up date/10.1/ rpm/noarch /awstats-6. It has been fixed in AWStats 6.3, so we urge everybody who is using AWStats to make sure they are using 6.3. This vulnerability was first disclosed on 17th January 2005. This gives an attacker almost full control over the server. Size/MD5 checksum: 728566 d3241a30634640b4f363097f751e7282įtp://ftp. There is a vulnerability in AWStats 6.2 and previous versions which leads to remote command execution.
bi an.org/poo l/updates/ main/a/aws tats/awsta ts_6.4-1sa rge2_all.d eb
bi an.org/poo l/updates/ main/a/aws tats/awsta ts_6.4.ori g.tar.gz bi an.org/poo l/updates/ main/a/aws tats/awsta ts_6.4-1sa rge2.diff. bi an.org/poo l/updates/ main/a/aws tats/awsta ts_6.4-1sa rge2.dsc It isnt a Linux or Apache thing, but some > of the websites on that server use AWSTATS. Solutions for this threat AWStats: version 6.6. An attacker with a technician ability can exploit this computer weakness bulletin. The trust level is of type confirmed by the editor, with an origin of intranet client.Ī proof of concept or an attack tool is available, so your teams have to process this alert. Our team determined that the severity of this weakness announce is important.
This computer threat alert impacts software or systems such as Debian, openSUSE, Unix (platform) ~ not comprehensive. Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the config and migrate parameters resulting in unauthenticated remote code.
This vulnerability therefore permits a remote attacker to execute commands with AWStats rights.įull bulletin, software filtering, emails, fixes. The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4953-1 advisory. An attacker can therefore run a shell command using the open() function. However, the '|' character is not filtered. It is written in PERL, and displays its statistics on a web server.ĭata of "migrate" parameter are sent to PERL open() function. The AWStats program generates web, ftp or mail statistics. Vulnerable systems: Debian, openSUSE, Unix (platform) ~ not comprehensive. In AWStats cgibin/config accepts an absolute pathname, eventhough it was intended to only read a file in the /etc/awstats/nf format. Vulnerability of AWStats: command execution with migrate Synthesis of the vulnerabilityĪn attacker can use a special migrate parameter in order to execute a shell command on server.