"Citrix SD-WAN Appliance 10.2. "Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure" "CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting" AWStats 6.5, and possibly other versions, allows remote authenticated users to execute arbitrary code by using the configdir parameter to to upload a. "Zen Load Balancer 3.10.1 - Remote Code Execution" "Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal" "Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)" "Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)" Package(s): awstats: CVE (s): CVE-2010-4367: Created:: February 21, 2011: Updated:: February 23, 2011: Description:: From the CVE entry: awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server. "Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection" "NewsLister - Authenticated Persistent Cross-Site Scripting" "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" "DotCMS 20.11 - Stored Cross-Site Scripting" "ChurchCRM 4.2.0 - CSV/Formula Injection" "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" "Mitel mitel-cs018 - Call Data Information Disclosure" "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" Sarge and sid are afected The two ones know as -configdir -update are solved in this version but there is another one called -pluginmode And i have. No rate Limit on Password Reset functionality" Package: awstats Version: 6.2-1.1 Severity: grave Tags: security Justification: user security hole The arbitrary command execution problem in the 6.2 release is composed of several vulnerabilities. "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" excellent AWStats configdir Remote Command Execution. #include #include #include // #include #include #include void usage ( char * pname ) // milw0rm. SQL Injection and Remote Code Execution linux/http/astiumsqliupload. Check config file, permissions and AWStats documentation ( in 'docs' directory ). pl ? configdir =% 20 |% 20 / usr / bin / w % 20 |% 20 Error : LogFile parameter is not defined in config / domain file Setup ( ' | /usr/bin/w | /' file, web server or permissions ) may be wrong. An example would be : Let 's execute ' / usr / bin / w ': > http : // localhost / cgi - bin / awstats. If the users sends a command prefixed and postfixed with |, the command will be executed. The script does not sanitise correctly the user input for the ` configdir ` parameter. com This exploit makes use of the remote command execution bug discovered in AwStats ver 6.2 and below. * AwStats exploit by Thunder, molnar_rcs. AWStats is vulnerable to remote command execution when installed on Apache Tomcat on Microsoft Windows operating systems.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |