AWStats versions 6.3 and prior contain multiple vulnerabilities resulting from improper input validation that allow a remote attacker to cause a Denial of Service (DoS) condition, gain sensitive information, and execute arbitrary commands.
The first vulnerability (CAN-2005-0435) allows a remote attacker to gain sensitive information from the affected server. To exploit this vulnerability, the attacker can craft a malicious URL calling the rawlog plugin. This allows the attacker to view information such as IP addresses, administrative script names and non-encoded GET requests.
The second vulnerability allows a remote attacker to execute arbitrary system commands with the privileges of the web server process. An attacker could craft a malicious
URL using the update and logfile parameters. Only versions 6.1 and prior are vulnerable to this attack.
The third vulnerability (CAN-2005-0436) allows a remote attacker to execute arbitrary system commands or call arbitrary perl functions. Output from these commands can return to the attacker. To exploit this vulnerability, the attacker must craft a malicious URL that calls the pluginmode parameter without using the loadplugin parameter.
The fourth vulnerability allows an attacker to cause a DoS condition on the affected system. The attacker can craft a malicious URL that calls pluginmode parameters and instructs the running process to sleep. The effectiveness of this attack is
unclear, especially on a multi-threaded system.
The fifth vulnerability (CAN-2005-0437) allows a remote attacker to conduct directory traversal attacks. To exploit this vulnerability, the attacker can craft a malicious URL containing directory traversal characters designed to call perl plugins. Exploitation allows the attacker to call and execute any perl plugins from the local system on the affected server.
The sixth vulnerability (CAN-2005-0438) allows the attacker to view debug information on the affected server. The attacker can exploit this vulnerability by crafting a URL that sets a non-zero value to the debug parameter.
Exploit code is available for the third vulnerability.
Patches are available.