AWStats contains several flaws that may allow a malicious user to execute arbitrary code. The issue is triggered when providing shell meta-characters to the "pluginmode", "loadplugin", or "noloadplugin" variables of the awstats.pl script. It is possible that the flaw may allow execution of arbitrary commands under the web server privileges resulting in a loss of integrity.

Upgrade to version 6.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Related OSVDB ID: 13832 13833
• CVE ID: 2005-0362 (see also: NVD) 2005-0363 (see also: NVD)
• CERT VU: 259785
• Vendor Specific News/Changelog Entry: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488
• Generic Informational URL: http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf
• Other Advisory URL: http://www.debian.org/security/2005/dsa-682

• newbug - newbugchroot.org -