FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
0f5a2b4d-694b-11d9-a9e7-0001020eed82awstats -- remote command execution vulnerability

An iDEFENSE Security Advisory reports:

Remote exploitation of an input validation vulnerability in AWStats allows attackers to execute arbitrary commands under the privileges of the web server.

The problem specifically exists when the application is running as a CGI script on a web server. The "configdir" parameter contains unfiltered user-supplied data that is utilized in a call to the Perl routine open()...

Successful exploitation allows remote attackers to execute arbitrary commands under the privileges of the web server. This can lead to further compromise as it provides remote attackers with local access.

Discovery 2004-10-21
Entry 2005-01-18
Modified 2005-02-23
lt 6.3

27d78386-d35f-11dd-b800-001b77d09812awstats -- multiple XSS vulnerabilities

Secunia reports:

Morgan Todd has discovered a vulnerability in AWStats, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed in the URL to is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation requires that the application is running as a CGI script.

Discovery 2008-03-12
Entry 2009-01-04
lt 6.9,1

gt 0

2df297a2-dc74-11da-a22b-000c6ec775d9awstats -- arbitrary command execution vulnerability

OS Reviews reports:

If the update of the stats via web front-end is allowed, a remote attacker can execute arbitrary code on the server using a specially crafted request involving the migrate parameter. Input starting with a pipe character ("|") leads to an insecure call to Perl's open function and the rest of the input being executed in a shell. The code is run in the context of the process running the AWStats CGI.

Arbitrary code can be executed by uploading a specially crafted configuration file if an attacker can put a file on the server with chosen file name and content (e.g. by using an FTP account on a shared hosting server). In this configuration file, the LogFile directive can be used to execute shell code following a pipe character. As above, an open call on unsanitized input is the source of this vulnerability.

Discovery 2006-05-03
Entry 2006-05-05
Modified 2006-11-15
lt 6.5_2,1
4055aee5-f4c6-11e7-95f2-005056925db4awstats -- remote code execution

Mitre reports:

Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.

Discovery 2018-01-03
Entry 2018-01-08
lt 7.7,1
ce6ce2f8-34ac-11e0-8103-00215c6a37bbawstats -- arbitrary commands execution vulnerability

Awstats change log reports:

  • Security fix (Traverse directory of LoadPlugin)
  • Security fix (Limit config to defined directory to avoid access to external config file via a nfs or webdav link).

Discovery 2010-05-01
Entry 2011-02-10
lt 7.0,1

gt 0

e86fbb5f-0d04-11da-bc08-0001020eed82awstats -- arbitrary code execution vulnerability

An iDEFENSE Security Advisory reports:

Remote exploitation of an input validation vulnerability in AWStats allows remote attackers to execute arbitrary commands.

The problem specifically exists because of insufficient input filtering before passing user-supplied data to an eval() function. As part of the statistics reporting function, AWStats displays information about the most common referrer values that caused users to visit the website. The referrer data is used without proper sanitation in an eval() statement, resulting in the execution of arbitrary perl code.

Successful exploitation results in the execution of arbitrary commands with permissions of the web service. Exploitation will not occur until the stats page has been regenerated with the tainted referrer values from the http access log. Note that AWStats is only vulnerable in situations where at least one URLPlugin is enabled.

Discovery 2005-08-09
Entry 2005-08-14
Modified 2005-08-23
lt 6.4_1

fdad8a87-7f94-11d9-a9e7-0001020eed82awstats -- arbitrary command execution

Several input validation errors exist in AWStats that allow a remote unauthenticated attacker to execute arbitrary commands with the priviliges of the web server. These programming errors involve CGI parameters including loadplugin, logfile, pluginmode, update, and possibly others.

Additionally, the debug and other CGI parameters may be used to cause AWStats to disclose AWStats and system configuration information.

Discovery 2005-02-10
Entry 2005-02-16
Modified 2005-02-23
lt 6.4