GLSA-200606-06 : AWStats: Remote execution of arbitrary code

medium Nessus Plugin ID 21667

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200606-06 (AWStats: Remote execution of arbitrary code)

Hendrik Weimer has found that if updating the statistics via the web frontend is enabled, it is possible to inject arbitrary code via a pipe character in the 'migrate' parameter. Additionally, r0t has discovered that AWStats fails to properly sanitize user-supplied input in awstats.pl.
Impact :

A remote attacker can execute arbitrary code on the server in the context of the application running the AWStats CGI script if updating of the statistics via web frontend is allowed. Nonetheless, all configurations are affected by a cross-site scripting vulnerability in awstats.pl, allowing a remote attacker to execute arbitrary scripts running in the context of the victim's browser.
Workaround :

Disable statistics updates using the web frontend to avoid code injection. However, there is no known workaround at this time concerning the cross-site scripting vulnerability.

Solution

All AWStats users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=www-misc/awstats-6.5-r1'

See Also

https://security.gentoo.org/glsa/200606-06

Plugin Details

Severity: Medium

ID: 21667

File Name: gentoo_GLSA-200606-06.nasl

Version: 1.18

Type: local

Published: 6/8/2006

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.0

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:awstats, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/7/2006

Vulnerability Publication Date: 4/18/2006

Exploitable With

Core Impact

Metasploit (AWStats migrate Remote Command Execution)

Reference Information

CVE: CVE-2006-1945, CVE-2006-2237

GLSA: 200606-06