cbcvebase.
CVE-2008-3922
published 2008-09-04

CVE-2008-3922: awstatstotals.php in AWStats Totals 1.0 through 1.14 allows remote attackers to execute arbitrary code via PHP sequences in the sort parameter, which is used…

PriorityP275critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
53.20%
98.8th percentile
awstatstotals.php in AWStats Totals 1.0 through 1.14 allows remote attackers to execute arbitrary code via PHP sequences in the sort parameter, which is used by the multisort function when dynamically creating an anonymous PHP function.

Affected

5 ranges
VendorProductVersion rangeFixed in
telartis_bvawstats_totals
telartis_bvawstats_totals
telartis_bvawstats_totals
telartis_bvawstats_totals
telartis_bvawstats_totals

Detection & IOCsextracted from sources · hover to see the quote

path/awstatstotals/awstatstotals.php
url?sort="].phpinfo().exit().$a["
url?sort="].passthru('echo%20YYY;<PAYLOAD>;echo%20YYY;').exit().%24a["
filenameawstatstotals.php
  • Detect exploitation attempts by monitoring HTTP GET requests to awstatstotals.php containing PHP injection sequences in the 'sort' parameter, particularly patterns like `"].` followed by PHP function calls such as `phpinfo()`, `passthru()`, or `exit()`.
  • The Metasploit check method sends `sort='].phpinfo().exit().$a['` and looks for 'localhost' in the response body to confirm vulnerability — alert on this exact sort parameter value in web logs.
  • The exploit payload uses `passthru()` with echo-delimited output markers `YYY` to extract command output — detect `YYY` boundary strings in HTTP responses or `passthru` in the sort parameter.
  • The Metasploit module uses a hardcoded User-Agent string `Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)` for exploit requests — correlate this UA with requests to awstatstotals.php containing injection patterns.
  • ·All versions v1.0 through v1.14 of AWStats Totals are affected; there is no safe version in this range.
  • ·The vulnerability is in the `multisort` function which dynamically creates an anonymous PHP function from user-supplied input — the `sort` GET parameter is the sole attack vector.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.