Critical vulnerability in AWStats Totals
AWStats Totals, a PHP script which presents data collected by the web site statistics tool AWStats for multiple web sites, contains critical security vulnerabilities. According to reports, by entering crafted parameters, attackers can pass PHP commands to the server which will be executed by the server.
The fault lies in a failure to check the month, year and sort parameters. The discoverers of the vulnerability describe two sample exploits in their report, one of which works where Magic Quotes are activated and one without. All versions prior to 1.15 are affected. The developers of AWStats Totals recommend that users update as soon as possible to the current version, in which the bug is fixed.
See also:
- Multiple Vulnerabilities in AWStats Totals, security advisory from Emory University
(djwm)