[] NeoSense
E X P L O I T S
title author type platform port cve id

AWStats 5.x/6.x - 'Logfile' Remote Command Execution

Author: newbug@chroot.org
type: webapps
platform: cgi
port: 
date_added: 2005-02-16 
date_updated: 2013-04-30 
verified: 1 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 
source: https://www.securityfocus.com/bid/12572/info

AWStats is reported prone to a remote arbitrary command-execution vulnerability. This issue occurs because the application fails to properly sanitize user-supplied data.

Specifically, the user-specified 'logfile' URI parameter is supplied to the Perl 'open()' routine. This issue is considered distinct from BID 10950 (AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability).

AWStats versions 5.4 to 6.1 are reported vulnerable to this issue.

http://www.example.com/cgi-bin/awstats.pl?update=1&logfile=|/bin/ls|
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.