Thanks. Martin Pitt wrote: > Here is the patch used for the Ubuntu security update: > > http://patches.ubuntu.com/patches/awstats.more-CAN-2005-0016.diff
CAN-2005-0016 is the gatos problem Debian fixed in DSA 640 > awstats (6.2-1.1ubuntu1) hoary; urgency=low > . > * SECURITY UPDATE: fix more arbitrary command execution vulnerabilities > * wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the > "config", "pluginmode", "loadplugin", and "noloadplugin" parameters > (which > are defined by the remote user) to prevent execution of arbitrary shell > commands through shell metacharacters. > * References: > similar to CAN-2005-0116 CAN-2005-0116 does not apply to the stable Debian release http://www.debian.org/security/nonvulns-woody#CAN-2005-0116 However, from the patch you provided, at least the "config" is part of the version in woody so we'll have to issue an update I guess. Regards, Joey -- The good thing about standards is that there are so many to choose from. -- Andrew S. Tanenbaum -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]