tag 294488 patch thanks Here is the patch used for the Ubuntu security update:
http://patches.ubuntu.com/patches/awstats.more-CAN-2005-0016.diff awstats (6.2-1.1ubuntu1) hoary; urgency=low . * SECURITY UPDATE: fix more arbitrary command execution vulnerabilities * wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the "config", "pluginmode", "loadplugin", and "noloadplugin" parameters (which are defined by the remote user) to prevent execution of arbitrary shell commands through shell metacharacters. * References: similar to CAN-2005-0116 http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian GNU/Linux Developer http://www.debian.org
signature.asc
Description: Digital signature
