HighBlackICE Agent for Server, BlackICE Server Protection, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Network IDS, Proventia Desktop, Proventia-G 1.1 and earlier, RealSecure Desktop, RealSecure Desktop Protector 3.6, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects an HTTP GET request to AWStats that could be an attacker trying to execute arbitrary commands or cause a denial of service attack.
High
BlackICE Agent for Server: 3.6eof, BlackICE Server Protection: 3.6.cpa, BlackICE PC Protection: 3.6cpa, RealSecure Network: XPU 24.4, RealSecure Server Sensor: XPU 24.4, Proventia Network MFS: XPU 1.43, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.0, Proventia Network IDS: XPU 24.4, Proventia Desktop: 8.0.614.1, Proventia-G 1.1 and earlier: XPU 24.4, RealSecure Desktop: eoe, RealSecure Desktop Protector 3.6: eoe, Proventia Network IPS: XPU 1.43, Proventia Server IPS for Linux technology: 1.0, Virtual Server Protection for Vmware: 1.0
SCO SCO UnixWare: 2.0.x, Gentoo Linux, AWStats AWStats: prior to 6.3
Unauthorized Access Attempt
AWStats could allow a remote attacker to execute arbitrary commands on the system. An attacker could send a specially-crafted request to the awstats.pl script using the pluginmode, loadplugin, or noloadplugin parameter to inject and execute arbitrary commands on the system with the privileges of the Web server.
Upgrade to the latest version of AWStats (6.3 or later), available from the AWStats Download Web page. See References.
For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 2005-01-36 for patch, upgrade, or suggested workaround information. See References.
SecurityTracker Alert ID: 1012906
AWStats Input Validation Flaws Let Users Execute Arbitrary Commands
http://securitytracker.com/alerts/2005/Jan/1012906.html
AWStats Download Web page
AWStats
http://awstats.sourceforge.net/#DOWNLOAD
Packet Storm Web Site
GHCaws.pl
http://packetstormsecurity.nl/exploits20.html
Packet Storm Web Site
AWStatsVulnAnalysis.pdf
http://packetstormsecurity.nl/exploits20.html
Gentoo Linux Security Announcement GLSA 200501-36
AWStats: Remote code execution
http://www.gentoo.org/security/en/glsa/glsa-200501-36.xml
ISS X-Force
AWStats awstats.pl plugin shell command execution
http://www.iss.net/security_center/static/18912.php
CVE
CVE-2005-0362
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0362