CVE-2017-1000501
published 2018-01-03CVE-2017-1000501: Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated…
PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
4.35%
90.0th percentile
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| awstats | awstats | <= 7.6.0 | — |
| awstats | awstats | <= 7.7 | — |
| awstats | awstats | <= 7.8 | — |
| awstats | awstats | >= 0 < 7.8-1 | 7.8-1 |
| awstats | awstats | >= 0 < 7.8-2 | 7.8-2 |
| awstats | awstats | >= 0 < 7.6+dfsg-2 | 7.6+dfsg-2 |
| awstats | awstats | >= 0 < 7.8-1 | 7.8-1 |
| awstats | awstats | >= 0 < 7.8-2 | 7.8-2 |
| awstats | awstats | >= 0 < 7.6+dfsg-2 | 7.6+dfsg-2 |
| awstats | awstats | >= 0 < 7.8-1 | 7.8-1 |
| awstats | awstats | >= 0 < 7.8-2 | 7.8-2 |
| awstats | awstats | >= 0 < 7.6+dfsg-2 | 7.6+dfsg-2 |
| awstats | awstats | >= 0 < 7.8-1 | 7.8-1 |
| awstats | awstats | >= 0 < 7.8-2 | 7.8-2 |
| awstats | awstats | >= 0 < 7.6+dfsg-2 | 7.6+dfsg-2 |
| debian | awstats | < awstats 7.8-2 (bookworm) | awstats 7.8-2 (bookworm) |
| debian | awstats | < awstats 7.8-1 (bookworm) | awstats 7.8-1 (bookworm) |
| debian | awstats | < awstats 7.6+dfsg-2 (bookworm) | awstats 7.6+dfsg-2 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to awstats.pl containing 'config' or 'migrate' parameters with path traversal sequences (e.g., '../', absolute paths, or partial absolute paths omitting leading '/etc') indicating exploitation attempts. ↗
- →Flag requests where the 'config' parameter in awstats.pl accepts an absolute pathname (e.g., starting with '/') rather than a simple config name, as this indicates exploitation of the incomplete fix. ↗
- →Alert on requests where the 'config' parameter contains a partial absolute pathname omitting the initial '/etc', as this bypasses the incomplete CVE-2017-1000501 patch. ↗
- →Unauthenticated requests to awstats.pl with manipulated 'config' or 'migrate' parameters should be treated as high-severity; no authentication is required to trigger remote code execution. ↗
- ·The CVE-2017-1000501 fix was incomplete; subsequent bypasses were tracked as CVE-2020-29600 (absolute path) and CVE-2020-35176 (partial absolute path omitting '/etc'). Detection rules must account for all three bypass variants. ↗
- ·Affected versions are AWStats 7.6 and earlier for CVE-2017-1000501; through 7.7 for CVE-2020-29600; through 7.8 for CVE-2020-35176. Ensure version checks in detection logic cover all ranges. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
AWStats vulnerabilities
vendor_ubuntu·2021-05-13·CVSS 9.8
CVE-2020-35176 [CRITICAL] AWStats vulnerabilities
Title: AWStats vulnerabilities
Summary: Several security issues were fixed in AWStats.
Sean Boran discovered that AWStats incorrectly filtered certain parameters.
A remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-29600)
It was discovered that AWStats incorrectly filtered certain parameters. A
remote attacker could possibly use this issue to access sensitive
information. (CVE-2020-35176)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2020-35176: awstats - In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pa...
vendor_debian·2020·CVSS 9.8
CVE-2020-35176 [CRITICAL] CVE-2020-35176: awstats - In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pa...
In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
Scope: local
bookworm: resolved (fixed in 7.8-2)
bullseye: resolved (fixed in 7.8-2)
forky: resolved (fixed in 7.8-2)
sid: resolved (fixed in 7.8-2)
trixie: resolved (fixed in 7.8-2)
Debian
CVE-2020-29600: awstats - In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname,...
vendor_debian·2020·CVSS 9.8
CVE-2020-29600 [CRITICAL] CVE-2020-29600: awstats - In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname,...
In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501.
Scope: local
bookworm: resolved (fixed in 7.8-1)
bullseye: resolved (fixed in 7.8-1)
forky: resolved (fixed in 7.8-1)
sid: resolved (fixed in 7.8-1)
trixie: resolved (fixed in 7.8-1)
Ubuntu
AWStats vulnerability
vendor_ubuntu·2018-01-08
CVE-2017-1000501 AWStats vulnerability
Title: AWStats vulnerability
Summary: AWStats could be made to run programs if it received specially crafted
network traffic.
It was discovered that AWStats incorrectly filtered certain parameters. A
remote attacker could possibly use this issue to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2017-1000501: awstats - Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the ha...
vendor_debian·2017·CVSS 9.8
CVE-2017-1000501 [CRITICAL] CVE-2017-1000501: awstats - Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the ha...
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.
Scope: local
bookworm: resolved (fixed in 7.6+dfsg-2)
bullseye: resolved (fixed in 7.6+dfsg-2)
forky: resolved (fixed in 7.6+dfsg-2)
sid: resolved (fixed in 7.6+dfsg-2)
trixie: resolved (fixed in 7.6+dfsg-2)
GHSA
GHSA-6hh4-7wc7-6vq9: In AWStats through 7
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2020-35176 [CRITICAL] CWE-22 GHSA-6hh4-7wc7-6vq9: In AWStats through 7
In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
GHSA
GHSA-43g3-5cf8-2gm2: In AWStats through 7
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2020-29600 [CRITICAL] CWE-22 GHSA-43g3-5cf8-2gm2: In AWStats through 7
In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501.
GHSA
GHSA-ph65-4f3r-7fv8: Awstats version 7
ghsa_unreviewed·2022-05-13
CVE-2017-1000501 [CRITICAL] CWE-22 GHSA-ph65-4f3r-7fv8: Awstats version 7
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.
OSV
CVE-2020-35176: In AWStats through 7
osv·2020-12-12·CVSS 9.8
CVE-2020-35176 [CRITICAL] CVE-2020-35176: In AWStats through 7
In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
OSV
CVE-2020-29600: In AWStats through 7
osv·2020-12-07·CVSS 9.8
CVE-2020-29600 [CRITICAL] CVE-2020-29600: In AWStats through 7
In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501.
OSV
CVE-2017-1000501: Awstats version 7
osv·2018-01-03·CVSS 9.8
CVE-2017-1000501 [CRITICAL] CVE-2017-1000501: Awstats version 7
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-1000501 awstats: awstat: Two path traversal issues in awstat.pl [epel-all]
bugzilla·2017-12-27·CVSS 9.8
CVE-2017-1000501 [CRITICAL] CVE-2017-1000501 awstats: awstat: Two path traversal issues in awstat.pl [epel-all]
CVE-2017-1000501 awstats: awstat: Two path traversal issues in awstat.pl [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported vers
Bugzilla
CVE-2017-1000501 awstat: Two path traversal issues in awstat.pl
bugzilla·2017-12-27·CVSS 9.8
CVE-2017-1000501 [CRITICAL] CVE-2017-1000501 awstat: Two path traversal issues in awstat.pl
CVE-2017-1000501 awstat: Two path traversal issues in awstat.pl
Two path traversal flaws were discovered in awstats that could be leveraged for unauthenticated remote code execution.
Upstream patch:
https://github.com/eldy/awstats/commit/cf219843a74c951bf5986f3a7fffa3dcf99c3899
https://github.com/eldy/awstats/commit/06c0ab29c1e5059d9e0279c6b64d573d619e1651
Discussion:
Created awstats tracking bugs for this issue:
Affects: epel-all [bug 1529350]
Affects: fedora-all [bug 1529351]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Bugzilla
CVE-2017-1000501 awstats: awstat: Two path traversal issues in awstat.pl [fedora-all]
bugzilla·2017-12-27·CVSS 9.8
CVE-2017-1000501 [CRITICAL] CVE-2017-1000501 awstats: awstat: Two path traversal issues in awstat.pl [fedora-all]
CVE-2017-1000501 awstats: awstat: Two path traversal issues in awstat.pl [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
http://www.awstats.org/https://github.com/eldy/awstats/commit/06c0ab29c1e5059d9e0279c6b64d573d619e1651https://github.com/eldy/awstats/commit/cf219843a74c951bf5986f3a7fffa3dcf99c3899https://lists.debian.org/debian-lts-announce/2018/01/msg00012.htmlhttps://security.gentoo.org/glsa/202007-37https://www.debian.org/security/2018/dsa-4092http://www.awstats.org/https://github.com/eldy/awstats/commit/06c0ab29c1e5059d9e0279c6b64d573d619e1651https://github.com/eldy/awstats/commit/cf219843a74c951bf5986f3a7fffa3dcf99c3899https://lists.debian.org/debian-lts-announce/2018/01/msg00012.htmlhttps://security.gentoo.org/glsa/202007-37https://www.debian.org/security/2018/dsa-4092
2018-01-03
Published