cbcvebase.
CVE-2005-0116
published 2005-01-18

CVE-2005-0116: AWStats 6.1, and other versions before 6.3, allows remote attackers to execute arbitrary commands via shell metacharacters in the configdir parameter to…

PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
74.94%
99.4th percentile
AWStats 6.1, and other versions before 6.3, allows remote attackers to execute arbitrary commands via shell metacharacters in the configdir parameter to aswtats.pl.

Affected

6 ranges
VendorProductVersion rangeFixed in
awstatsawstats<= 6.3
awstatsawstats>= 0 < 6.2-1.16.2-1.1
awstatsawstats>= 0 < 6.2-1.16.2-1.1
awstatsawstats>= 0 < 6.2-1.16.2-1.1
awstatsawstats>= 0 < 6.2-1.16.2-1.1
debianawstats< awstats 6.2-1.1 (bookworm)awstats 6.2-1.1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/awstats.pl?configdir=%20|%20/usr/bin/w%20|%20
path/cgi-bin/awstats.pl
commandconfigdir=|echo;cat /etc/hosts;echo|
command?configdir=|echo;echo%20YYY;#{command};echo%20YYY;echo|
  • Detect shell metacharacter injection (pipe characters) in the `configdir` GET parameter of requests to awstats.pl
  • Alert on GET requests to awstats.pl where the `configdir` parameter contains pipe (`|`) characters, which are the shell metacharacters used for command injection
  • Monitor for the exploit check pattern `configdir=|echo;cat /etc/hosts;echo|` in HTTP request URIs as a vulnerability probe
  • Monitor for the delimiter pattern `YYY` in HTTP responses to awstats.pl requests, which is used by Metasploit modules to delimit command output
  • Flag HTTP GET requests to awstats.pl containing URL-encoded pipe characters (%7C) or literal pipes in the configdir parameter value
  • ·The vulnerable parameter is `configdir` in awstats.pl; the CGI script path may vary from the default `/cgi-bin/awstats.pl` if deployed under a user directory (e.g., `/~user/cgi-bin`)
  • ·Affected versions are AWStats 6.1 and 6.2 (confirmed by iDEFENSE); versions before 6.3 are broadly vulnerable — detections should target these version ranges

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.