Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Cross-site scripting vulnerability in a popular Linux log file app could lead to remote code execution
Tim Wilson, Editor in Chief, Dark Reading
June 9, 2006
2 Min Read
A newly discovered flaw in a popular Linux application could allow attackers to execute remote code on Linux servers, according to vulnerability reports posted yesterday.
Advanced Web Statistics (AWStats), a log file analyzer and statistics generator that is often used to track Website traffic, contains a bug that could allow a remote attacker to inject arbitrary code onto a Linux server, according to reports on Gentoo and BugTraq.
Hendrik Weimer, a security researcher who discovered the bug, found that cross-site scripting attacks could be perpetrated via a pipe character in the "migrate" parameter of the AWStats application. The exploit works on the server only if the user has enabled automated updates of statistics via a Web front end. However, the cross-site scripting vulnerability could also allow attacks to take place via a client's browser.
"AWStats fails to properly sanitize user-supplied input in awstats.pl," Weimer says.
The vulnerability sites rated the severity of the threat as "high," and at least one said there was no patch available. However, Debian, the open source organization that offers GNU/Linux, says it is aware of the problem and has issued upgrades to both its version 6.4 ("stable") and 6.5 ("unstable") that are available now. Red Hat also reported that it has made updates to the current versions of Ubuntu Linux.
The vulnerability is not the first to appear in AWStats. In February 2005, iDefense discovered a similar configuration vulnerability in the program, but a group of students called the RedTeam discovered a workaround. An AWStats flaw also contributed to the proliferation of the "Lupper" worm in November 2005.
Linux users can avoid some of these vulnerabilities by turning off the "update statistics" feature in AWStats, observers note, but such a workaround negates one of the application's chief functions, which is collecting Web statistics.
— Tim Wilson, Site Editor, Dark Reading
Organizations mentioned in this story
About the Author(s)
Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.
You May Also Like
A screen displaying many different types of charts and graphs to show what data is being analyzed.Cybersecurity Analytics