I. BACKGROUND

AWStats is a free tool that generates advanced web, ftp or mail server
statistics, graphically. More information about AWStats is available
from:

    http://awstats.sourceforge.net

II. DESCRIPTION

Remote exploitation of an input validation vulnerability in AWStats
allows attackers to execute arbitrary commands under the privileges of
the web server.

The problem specifically exists when the application is running as a
CGI script on a web server. The "configdir" parameter contains
unfiltered user-supplied data that is utilized in a call to the Perl
routine open() as can be seen here on line 1082 of awstats.pl:

    if (open(CONFIG,"$searchdir$PROG.$SiteConfig.conf"))

The "searchdir" variables hold the value of the parameter provided by
the attacker from "configdir." An attacker can cause arbitrary commands
to be executed by prefixing them with the "|" character.

V. WORKAROUND

Add a filter around the "configdir" parameter by replacing the following
line:

    if ($QueryString =~ /configdir=([^&]+)/i)
    {
        $DirConfig=&DecodeEncodedString("$1");
    }

With:

    if ($QueryString =~ /configdir=([^&]+)/i)
    {
        $DirConfig=&DecodeEncodedString("$1");
        $DirConfig=~tr/a-z0-9_\-\/\./a-z0-9_\-\/\./cd;
    }