Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!Close

CVE-2010-4367

Published: 2 December 2010

awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server.

Notes

AuthorNote
mdeslaur
our awstats package already has a patch that disables use of the
configdir parameter. See Debian bug #365910.

Priority

Medium

Status

Package Release Status
awstats
Launchpad, Ubuntu, Debian
upstream
Released (7.0)
dapper Not vulnerable
(6.5-1ubuntu1.3)
hardy Not vulnerable
(6.7.dfsg-1ubuntu0.1)
karmic Not vulnerable
(6.9~dfsg-1ubuntu3)
lucid Not vulnerable
(6.9~dfsg-1ubuntu3)
maverick Not vulnerable
(6.9.5~dfsg-3)
natty Not vulnerable
(6.9.5~dfsg-4)
Patches:
upstream: http://awstats.cvs.sourceforge.net/viewvc/awstats/awstats/wwwroot/cgi-bin/awstats.pl?r1=1.958&r2=1.962