FreeBSD : awstats -- arbitrary command execution (fdad8a87-7f94-11d9-a9e7-0001020eed82)

This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Several input validation errors exist in AWStats that allow a remote
unauthenticated attacker to execute arbitrary commands with the
priviliges of the web server. These programming errors involve CGI
parameters including loadplugin, logfile, pluginmode, update, and
possibly others.

Additionally, the debug and other CGI parameters may be used to cause
AWStats to disclose AWStats and system configuration information.

See also :

http://marc.info/?l=bugtraq&m=110840530924124
http://awstats.sourceforge.net/docs/awstats_changelog.txt
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488
http://www.nessus.org/u?0152761e
http://www.nessus.org/u?aeaf3d57

Solution :

Update the affected package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:H/RL:OF/RC:ND)
Public Exploit Available : true

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 19185 (freebsd_pkg_fdad8a877f9411d9a9e70001020eed82.nasl)

Bugtraq ID: 12543
12545

CVE ID: CVE-2005-0362
CVE-2005-0363
CVE-2005-0435
CVE-2005-0436
CVE-2005-0437
CVE-2005-0438

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now