AWStats official web site
Free real-time logfile analyzer (Perl CGI) to get advanced web statistics (GNU GPL).

SourceForge

AWStats security announcements

This page provides information about known problems related to security on AWStats software.
Current security status: No alert
Status updated on: 2016-12-03


The following text give you an historical summary of all past holes found and fixed:

Version 7.6 or higher (safe from any known exploits)

There is no exploit nor hole known by AWStats team on this version or on higher versions, so using this version and higher is safe.


Note 1: You may however find announces about parameters provided into URLs that are not sanitized. In fact, AWStats sanitizing code can be found in the line
$QueryString = CleanFromCSSA(&DecodeEncodedString($QueryString));
This line sanitizes all URLs parameters provided to AWStats (removing CSS codes and | commands).


Hole #5: Version 7.5 and lower (possible remote execution code if environment variable AWSTATS_ENABLE_CONFIG_DIR is set, very rare)

CVSSv3 Base Score:
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


Hole #4: Version 6.8 and lower (offer a way to make XSS attacks):

When AWStats version is 6.8 or lower and is used as a CGI in a framed mode:
Not correctly sanitized parameters can be used to have AWStats URL generate an output with an URL that contains javscript used for a XSS attacks.
When AWStats version is 6.8 or lower and is used to build static pages:
If you use AWStats to build static pages, you are completely safe, whatever is the version of AWStats you use.


Hole #3: Version 6.4 and 6.5 (offer a way to make XSS attacks):

When AWStats version is 6.4 or 6.5 is used as a CGI:
Not correctly sanitized parameters refererpagesfilter, urlfilter, hostfiler, refererpagesfilterex, urlfilterex, hostfilerex can be used to provided an AWStats URL that return an URL that contains javscritp used for a XSS attacks.
This hole is reported under name:
- CVE-2006-3681
When AWStats version is 6.5 or lower and is used to build static pages:
If you use AWStats to build static pages, you are completely safe, whatever is the version of AWStats you use.


Hole #2: Version 6.4 and 6.5 (vulnerable to remote command via the migrate parameter, not vulnerable to Lupper Worm):

When AWStats version is 6.4 or 6.5 is used as a CGI:
If the update of the stats via web front-end is allowed, a remote attacker can execute arbitrary code on the server using a specially crafted request involving the migrate parameter. Input starting with a pipe character ("|") leads to an insecure call to Perl's open function and the rest of the input being executed in a shell. The code is run in the context of the process running the AWStats CGI.

When AWStats version is 6.5 or lower and is used to build static pages:
Again, if you use AWStats to build static pages, you are completely safe, whatever is the version of AWStats you use.


Hole #1: Version 5.0 - 6.3 (vulnerable to Lupper Worm, upgrade to 6.4 is highly recommanded)

When AWStats version is 6.3 or lower and is used as a CGI:
A security hole was found in October 2004 in old AWStats versions (from 5.0 to 6.3) when AWStats is used as a CGI:
A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user "nobody" or "wwwroot").
Note that this hole was reported by different securities companies as different holes and with different names, but all are the same. The good name for this hole could be:
- AWStats bad sanitizing parameters exploit
This are other current names used to refer to this bug (list is not complete, depends on securities companies, all thoose names/alerts refer to this bug):
- The configdir exploit
- The config remote exploit
- The urlplugin bug
- The rawlog plugin bug
- The plugin exploit
- The eval hole/exploit
- The missing sanitizing parameters
- The October 2004 AWStats security hole
- ShowInfoURL Remote Command Execution
- Debian DSA-682-1
- Debian DSA-892-1
- AusCERT ESB-2005.0049
- GLSA 200501-36
- CVE-2005-0116 (or CAN-2005-0116)
- CVE-2005-0362
- CVE-2005-0363
- CVE-2005-1527
- CERTA-2005-AVI-307-003
- IDEFENSE:20050809 AWStats ShowInfoURL Remote Command Execution Vulnerability
- UBUNTU:USN-167-1
- MISC:http://www.securiteam.com/unixfocus/5DP0J00GKE.html
- BID:14525
- OSVDB:18696
- SECTRACK:1014636
- SECUNIA:16412
- XF:awstats-eval-execute-commands(21769)

It is highly recommanded to upgrade to 6.4 version, or higher, because some worms exists in the Internet (Slapper, Lupper) that can and exploit this security hole.

When AWStats version is 6.3 or lower and is used to build static pages:
If you use AWStats to build static pages, you are completely safe, whatever is the version of AWStats you use.