FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
ce6ce2f8-34ac-11e0-8103-00215c6a37bbawstats -- arbitrary commands execution vulnerability

Awstats change log reports:

  • Security fix (Traverse directory of LoadPlugin)
  • Security fix (Limit config to defined directory to avoid access to external config file via a nfs or webdav link).

Discovery 2010-05-01
Entry 2011-02-10
awstats
< 7.0,1

awstats-devel
gt 0

CVE-2010-4367
http://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-001.html
http://awstats.sourceforge.net/docs/awstats_changelog.txt
2df297a2-dc74-11da-a22b-000c6ec775d9awstats -- arbitrary command execution vulnerability

OS Reviews reports:

If the update of the stats via web front-end is allowed, a remote attacker can execute arbitrary code on the server using a specially crafted request involving the migrate parameter. Input starting with a pipe character ("|") leads to an insecure call to Perl's open function and the rest of the input being executed in a shell. The code is run in the context of the process running the AWStats CGI.

Arbitrary code can be executed by uploading a specially crafted configuration file if an attacker can put a file on the server with chosen file name and content (e.g. by using an FTP account on a shared hosting server). In this configuration file, the LogFile directive can be used to execute shell code following a pipe character. As above, an open call on unsanitized input is the source of this vulnerability.


Discovery 2006-05-03
Entry 2006-05-05
Modified 2006-11-15
awstats
< 6.5_2,1

http://awstats.sourceforge.net/awstats_security_news.php
http://secunia.com/advisories/19969/
http://www.osreviews.net/reviews/comm/awstats
4055aee5-f4c6-11e7-95f2-005056925db4awstats -- remote code execution

Mitre reports:

Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.


Discovery 2018-01-03
Entry 2018-01-08
awstats
< 7.7,1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000501
CVE-2017-1000501
ports/225007
27d78386-d35f-11dd-b800-001b77d09812awstats -- multiple XSS vulnerabilities

Secunia reports:

Morgan Todd has discovered a vulnerability in AWStats, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed in the URL to awstats.pl is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation requires that the application is running as a CGI script.


Discovery 2008-03-12
Entry 2009-01-04
awstats
< 6.9,1

awstats-devel
gt 0

CVE-2008-3714
CVE-2008-5080
http://secunia.com/advisories/31519
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432
e86fbb5f-0d04-11da-bc08-0001020eed82awstats -- arbitrary code execution vulnerability

An iDEFENSE Security Advisory reports:

Remote exploitation of an input validation vulnerability in AWStats allows remote attackers to execute arbitrary commands.

The problem specifically exists because of insufficient input filtering before passing user-supplied data to an eval() function. As part of the statistics reporting function, AWStats displays information about the most common referrer values that caused users to visit the website. The referrer data is used without proper sanitation in an eval() statement, resulting in the execution of arbitrary perl code.

Successful exploitation results in the execution of arbitrary commands with permissions of the web service. Exploitation will not occur until the stats page has been regenerated with the tainted referrer values from the http access log. Note that AWStats is only vulnerable in situations where at least one URLPlugin is enabled.


Discovery 2005-08-09
Entry 2005-08-14
Modified 2005-08-23
awstats
< 6.4_1

CVE-2005-1527
http://marc.theaimsgroup.com/?l=full-disclosure&m=112377934108902
http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities