Synopsis :

The remote web server contains a CGI script that allows execution of
arbitrary commands.

Description :

The remote host is running AWStats, a free logfile analysis tool for
analyzing ftp, mail, web, ... traffic.

The remote version of this software fails to sanitize user-supplied
input to the 'configdir' parameter of the 'awstats.pl' script. An
attacker may exploit this condition to execute commands remotely or
disclose contents of files, subject to the privileges under which the
web server operates.

See also :

http://www.nessus.org/u?2210a10f
http://awstats.sourceforge.net/docs/awstats_changelog.txt

Solution :

Upgrade to AWStats version 6.3 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true