Debian Security Advisory

DSA-892-1 awstats -- missing input sanitising

Date Reported:
10 Nov 2005
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 322591, Bug 334833, Bug 336137.
In Mitre's CVE dictionary: CVE-2005-1527.
More information:

Peter Vreugdenhil discovered that awstats, a featureful web server log analyser, passes user-supplied data to an eval() function, allowing remote attackers to execute arbitrary Perl commands.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in version 6.4-1sarge1.

For the unstable distribution (sid) this problem has been fixed in version 6.4-1.1.

We recommend that you upgrade your awstats package.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.