Awstats official workaround flaw
RedTeam found a flaw in the official workaround for the remote command
execution vulnerability in awstats discovered by iDefense.
Affected Version: <= 6.2
Immune Version: 6.3
OS affected: all
iDefense found a remote command execution vulnerability in awstats <= 6.2,
The official awstats website tells users that they are safe from remote
command execution if they set the variable $!AllowToUpdateStatsFromBrowser to
0. This is not true, as the exploit can still be triggered.
In awstats.pl the variable $configdir, which is used to exploit, can still be
set remotely. Setting $!AllowToUpdateStatsFromBrowser to 0 only removes the
link to the button which can be used to trigger updates. The variable can
still be assigned per GET request.
Proof of Concept
Use the workaround provided by iDefense. See their advisory for the original
Fixed in version 6.3.
High, as arbitrary commands can be executed on the vulnerable system.
2005-02-12 email@example.com informed
2005-02-12 CVE number requested
2005-02-14 issue does not qualify for a CVE number. posted.
2009-05-08 Updated Advisory URL
RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find more
information on the RedTeam Project at