Linux Compatible
  • News
    • Channels
    • Archive
    • Search
    • Submit
  • Articles
    • Categories
  • Knowledgebase
  • Compatibility
    • Search
  • Links
  • Forums
  • Twitter
Advertisement

Latest News
[ Windows | Linux | Apple ]

· Nvidia GeForce GTX 1660 Ti Reviews and more
· NVIDIA 418.43 Linux Display Drivers released
· Windows 10 Insider Preview Build 18343 and Build 18841 released
· NVIDIA Geforce Game Ready Driver 419.17 WHQL
· Iscsi-initiator-utils Bug Fix Update for Oracle Linux 6
· Rssh Security Update for Debian 9
· Bind Security Update for Ubuntu Linux
· Build, Mosquitto, Nodejs6, GraphicsMagick Updates for openSUSE
· Adrenalin Software Edition 19.2.2 Driver Performance Analysis using the Red Devil RX 590 and more
· GNOME 3.32 Beta 2 released

Linux Compatibility
· Brother DCP-L2540DN
· Sound Blaster E5
· WD Elements 500GB external hard drive
· Canon D660U Flatbad scanner
· Umax Astra 4500 USB Scanner
· Logitech QuickCam Pro 4000
· Dell Latitude E6420
· Creative Sound Blaster Z
· Photosmart 5520
· TB-5300 Slimline Design Tablet

New Forum Topics
· Dale
by: Dale Blinco
on: 2018-02-05 00:26
1 replies, 4050 views

· modem driver needed
by: jongiffen777
on: 2017-12-13 11:11
1 replies, 5789 views

· Need a decent browser for XP Pro!
by: percy
on: 2017-12-05 11:02
2 replies, 7191 views

· Comodo Time Machine + Faronics Deep Freeze
by: Jabberwocky
on: 2017-11-15 23:17
1 replies, 5706 views

· Linux compatablity
by: ibme
on: 2017-10-04 18:05
1 replies, 7643 views

News Channels
· Drivers
· Guides
· Reviews
· Security
· Software
· Press Release
· Updates
· Interviews
· Linux
· General
· Debian
· Red Hat
· Slackware
· Gentoo
· Mandriva
· White Box
· SUSE
· GNOME
· KDE
· CentOS
· Ubuntu
· MEPIS
· Android
· Oracle Linux
· Arch Linux

What's New
Login to see an overview of all news stories since your last visit.

Welcome to our website

To take full advantage of all features you need to login or register. Registration is completely free and takes only a few seconds.

Linux Compatible » News » June 2006 » GLSA 200606-06 AWStats: Remote execution of arbitrary code

GLSA 200606-06 AWStats: Remote execution of arbitrary code

Posted by Bob on: 06/07/2006 08:42 PM [ Print | 0 comment(s) ]

A new security update has been released for Gentoo Linux - AWStats: Remote execution of arbitrary code. Here the announcement:




Gentoo Linux Security Advisory GLSA 200606-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: AWStats: Remote execution of arbitrary code
Date: June 07, 2006
Bugs: #130487
ID: 200606-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

AWStats contains a bug in the sanitization of the input parameters
which can lead to the remote execution of arbitrary code.

Background
==========

AWStats is an advanced log file analyzer and statistics generator.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-www/awstats lt; 6.5-r1 gt;= 6.5-r1

Description
===========

Hendrik Weimer has found that if updating the statistics via the web
frontend is enabled, it is possible to inject arbitrary code via a pipe
character in the "migrate" parameter. Additionally, r0t has discovered
that AWStats fails to properly sanitize user-supplied input in
awstats.pl.

Impact
======

A remote attacker can execute arbitrary code on the server in the
context of the application running the AWStats CGI script if updating
of the statistics via web frontend is allowed. Nonetheless, all
configurations are affected by a cross-site scripting vulnerability in
awstats.pl, allowing a remote attacker to execute arbitrary scripts
running in the context of the victim's browser.

Workaround
==========

Disable statistics updates using the web frontend to avoid code
injection. However, there is no known workaround at this time
concerning the cross-site scripting vulnerability.

Resolution
==========

All AWStats users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose "gt;=net-www/awstats-6.5-r1"

References
==========

[ 1 ] CVE-2006-1945
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1945
[ 2 ] CVE-2006-2237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2237

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200606-06.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

« [Security Announce] [ MDKSA-2006:096 ] - Updated openldap packages fixes buffer overflow vulnerability. · Microsoft Offers Community-Based Tools on CodePlex Site »

Linux Compatible » News » June 2006 » GLSA 200606-06 AWStats: Remote execution of arbitrary code
All products mentioned are registered trademarks or trademarks of their respective owners.
© 2002-2018 Esselbach Internet Solutions - All Rights Reserved. Terms and privacy policy
Powered by Contentteller® Business Edition