cbcvebase.
CVE-2017-1000501
published 2018-01-03

CVE-2017-1000501: Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated…

PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
4.35%
90.0th percentile
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.

Affected

23 ranges
VendorProductVersion rangeFixed in
awstatsawstats<= 7.6.0
awstatsawstats<= 7.7
awstatsawstats<= 7.8
awstatsawstats>= 0 < 7.8-17.8-1
awstatsawstats>= 0 < 7.8-27.8-2
awstatsawstats>= 0 < 7.6+dfsg-27.6+dfsg-2
awstatsawstats>= 0 < 7.8-17.8-1
awstatsawstats>= 0 < 7.8-27.8-2
awstatsawstats>= 0 < 7.6+dfsg-27.6+dfsg-2
awstatsawstats>= 0 < 7.8-17.8-1
awstatsawstats>= 0 < 7.8-27.8-2
awstatsawstats>= 0 < 7.6+dfsg-27.6+dfsg-2
awstatsawstats>= 0 < 7.8-17.8-1
awstatsawstats>= 0 < 7.8-27.8-2
awstatsawstats>= 0 < 7.6+dfsg-27.6+dfsg-2
debianawstats< awstats 7.8-2 (bookworm)awstats 7.8-2 (bookworm)
debianawstats< awstats 7.8-1 (bookworm)awstats 7.8-1 (bookworm)
debianawstats< awstats 7.6+dfsg-2 (bookworm)awstats 7.6+dfsg-2 (bookworm)
debiandebian_linux
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

urlcgi-bin/awstats.pl?config=
pathcgi-bin/awstats.pl
  • Monitor HTTP requests to awstats.pl containing 'config' or 'migrate' parameters with path traversal sequences (e.g., '../', absolute paths, or partial absolute paths omitting leading '/etc') indicating exploitation attempts.
  • Flag requests where the 'config' parameter in awstats.pl accepts an absolute pathname (e.g., starting with '/') rather than a simple config name, as this indicates exploitation of the incomplete fix.
  • Alert on requests where the 'config' parameter contains a partial absolute pathname omitting the initial '/etc', as this bypasses the incomplete CVE-2017-1000501 patch.
  • Unauthenticated requests to awstats.pl with manipulated 'config' or 'migrate' parameters should be treated as high-severity; no authentication is required to trigger remote code execution.
  • ·The CVE-2017-1000501 fix was incomplete; subsequent bypasses were tracked as CVE-2020-29600 (absolute path) and CVE-2020-35176 (partial absolute path omitting '/etc'). Detection rules must account for all three bypass variants.
  • ·Affected versions are AWStats 7.6 and earlier for CVE-2017-1000501; through 7.7 for CVE-2020-29600; through 7.8 for CVE-2020-35176. Ensure version checks in detection logic cover all ranges.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.