A newly discovered flaw in a popular Linux application could allow attackers to execute remote code on Linux servers, according to vulnerability reports posted yesterday.

Advanced Web Statistics (AWStats), a log file analyzer and statistics generator that is often used to track Website traffic, contains a bug that could allow a remote attacker to inject arbitrary code onto a Linux server, according to reports on Gentoo and BugTraq.

Hendrik Weimer, a security researcher who discovered the bug, found that cross-site scripting attacks could be perpetrated via a pipe character in the "migrate" parameter of the AWStats application. The exploit works on the server only if the user has enabled automated updates of statistics via a Web front end. However, the cross-site scripting vulnerability could also allow attacks to take place via a client's browser.

"AWStats fails to properly sanitize user-supplied input in awstats.pl," Weimer says.

The vulnerability sites rated the severity of the threat as "high," and at least one said there was no patch available. However, Debian, the open source organization that offers GNU/Linux, says it is aware of the problem and has issued upgrades to both its version 6.4 ("stable") and 6.5 ("unstable") that are available now. Red Hat also reported that it has made updates to the current versions of Ubuntu Linux.

The vulnerability is not the first to appear in AWStats. In February 2005, iDefense discovered a similar configuration vulnerability in the program, but a group of students called the RedTeam discovered a workaround. An AWStats flaw also contributed to the proliferation of the "Lupper" worm in November 2005.

Linux users can avoid some of these vulnerabilities by turning off the "update statistics" feature in AWStats, observers note, but such a workaround negates one of the application's chief functions, which is collecting Web statistics.

— Tim Wilson, Site Editor, Dark Reading

Organizations mentioned in this story