Package: awstats
Version: 6.5-1
Severity: important
Tags: security
Source: http://www.osreviews.net/reviews/comm/awstats
| If the update of the stats via web front-end is allowed, a remote
| attacker can execute arbitrary code on the server using a specially
| crafted request involving the migrate parameter. Input starting with
| a pipe character ("|") leads to an insecure call to Perl's open
| function and the rest of the input being executed in a shell. The
| code is run in the context of the process running the AWStats CGI.
Note that AllowToUpdateStatsFromBrowser, which is required for
successful exploitation is disabled by default.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
