3463.txt

This is the snapshot of Snot Latest Rules

Rule:

--
Sid:
3463

--
Summary:
This event is generated when an attempt is made to access the cgi script
awstats.pl.

--
Impact:
Possible execution of system commands.

--
Detailed Information:
Adavanced Web Statistics (awstats) is used to process web server log
files and produces reports of web server usage.

Some versions of awstats do not correctly sanitize user input. This may
present an attacker with the opportunity to supply system commands via
the "logfile" parameter. For the attack to be sucessful the "update"
parameter must also have the value set to "1". This event indicates that
an attempt has been made to access the awstats.pl cgi script.

--
Affected Systems:
	Awstats 6.1 and prior

--
Attack Scenarios:
An attacker can supply commands of their choosing as a value for the
logfile parameter by enclosing the commands in pipe charecters. For
example: 

 http://www.foo.com/cgi-bin/awstats.pl?update=1&logfile=|<command here>|

--
Ease of Attack:
Simple. No exploit software required.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Ensure the system is using an up to date version of the software.

Disallow access to awstats.pl as a CGI script.

--
Contributors:
Sourcefire Vulnerability Research Team
Alex Kirk <akirk@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--