|
Family: Debian Local Security Checks --> Category: infos
[DSA1075] DSA-1075-1 awstats Vulnerability Scan
Vulnerability Scan Summary DSA-1075-1 awstats
Detailed Explanation for this Vulnerability Test
Hendrik Weimer discovered that awstats can execute arbitrary commands
under the user id the web-server runs when users are allowed to supply
arbitrary configuration files. Even though, this bug was referenced
in DSA 1058 accidentally, it was not fixed yet.
The new default behaviour is not to accept arbitrary configuration
directories from the user. This can be overwritten by the
AWSTATS_ENABLE_CONFIG_DIR environment variable when users are to be
trusted.
The old stable distribution (woody) does not seem to be affected by
this problem.
For the stable distribution (sarge) this problem has been fixed in
version 6.4-1sarge3.
For the unstable distribution (sid) this problem has been fixed in
version 6.5-2.
We recommend that you upgrade your awstats package.
Solution : http://www.debian.org/security/2006/dsa-1075
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.
|