In association with heise online

27 August 2008, 11:03

Critical vulnerability in AWStats Totals

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

AWStats Totals, a PHP script which presents data collected by the web site statistics tool AWStats for multiple web sites, contains critical security vulnerabilities. According to reports, by entering crafted parameters, attackers can pass PHP commands to the server which will be executed by the server.

The fault lies in a failure to check the month, year and sort parameters. The discoverers of the vulnerability describe two sample exploits in their report, one of which works where Magic Quotes are activated and one without. All versions prior to 1.15 are affected. The developers of AWStats Totals recommend that users update as soon as possible to the current version, in which the bug is fixed.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit