Arbitrary Code Execution Vulnerability in Awstats 6.4
August 16, 2005 Posted by KP
There is a new vulnerability in Awstats 6.4, detailed explanation is here. The new development version 6.5 has addressed this issue, but not available yet in ports. Awstats 6.4 has been marked forbidden in the ports, “make install” will display the following message, which is different from the portaudit error:
===> awstats-6.4 is forbidden: http://vuxml.FreeBSD.org/e86fbb5f-0d04-11da-bc08-0001020eed82.html.
I deinstalled Awstats and cleaned up the files and related Apache configuration. Awstats installation is a little messed up on my server, I started using it since version 6.1 which needs a manual copy, version 6.4 seemed to make it automate, which ended with two copies on my server. But now I think I might be mistaken - ports shouldn’t be so dumb, it’s very possible that I missed something when I installed 6.1. Anyway, the domain configuration files are located in a different folder /etc/awstats and not affected, it will be very easy to install the soon-to-be-released version, a “make install” and an optional directory protection should be enough.
Related Posts:
- Install Awstats 6.5 Without Ports
- Install Awstats on FreeBSD
- Awstats Exploit
- Update AwStats with Cron Job
- portaudit
Filed Under: Security