Executive Summary
| Summary | |
|---|---|
| Title | awstats vulnerability |
| Informations | |||
|---|---|---|---|
| Name | USN-290-1 | First vendor Publication | 2006-06-08 |
| Vendor | Ubuntu | Last vendor Modification | 2006-06-08 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:S/C:N/I:P/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 4 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 8 | Authentication | Requires single instance |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: Ubuntu 5.10: Ubuntu 6.06 LTS: In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Hendrik Weimer discovered a privilege escalation vulnerability in awstats. By supplying the 'configdir' CGI parameter and setting it to an attacker-controlled directory (such as an FTP account, /tmp, or similar), an attacker could execute arbitrary shell commands with the privileges of the web server (user 'www-data'). This update disables the 'configdir' parameter by default. If all local user accounts can be trusted, it can be reenabled by running awstats with the AWSTATS_ENABLE_CONFIG_DIR environment variable set to a nonempty value. |
Original Source
| Url : http://www.ubuntu.com/usn/USN-290-1 |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 3 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 1075-1 (awstats) File : nvt/deb_1075_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 25818 | AWStats AWSTATS_ENABLE_CONFIG_DIR Path Subversion Privilege Escalation |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2007-11-10 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-290-1.nasl - Type : ACT_GATHER_INFO |
| 2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_awstats-1612.nasl - Type : ACT_GATHER_INFO |
| 2007-02-18 | Name : The remote host is missing a vendor-supplied security patch File : suse_SA_2006_033.nasl - Type : ACT_GATHER_INFO |
| 2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1075.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 12:03:29 |
|
