Web application abuses : AWStats Totals 'sort' Parameter RCE Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.801893

Categoría: Web application abuses

Título: AWStats Totals 'sort' Parameter RCE Vulnerabilities

Resumen: AWStats Totals is prone to remote command execution vulnerabilities.

Descripción: Summary:
AWStats Totals is prone to remote command execution vulnerabilities.

Vulnerability Insight:
The flaw is caused by improper validation of user-supplied input passed via
the 'sort' parameter to 'multisort()' function, which allows attackers to execute arbitrary PHP code.

Vulnerability Impact:
Successful exploitation could allow remote attackers to execute arbitrary PHP
commands by constructing specially crafted 'sort' parameters.

Affected Software/OS:
AWStats Totals versions 1.14 and prior.

Solution:
Upgrade to AWStats Totals version 1.15 or later.

CVSS Score:
9.3

CVSS Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2008-3922
BugTraq ID: 30856
http://www.securityfocus.com/bid/30856
Bugtraq: 20080826 Multiple Vulnerabilities in AWStats Totals (Google Search)
http://www.securityfocus.com/archive/1/495770/100/0/threaded
http://www.exploit-db.com/exploits/17324
https://www.exploit-db.com/exploits/6368
http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt
http://secunia.com/advisories/31630
http://securityreason.com/securityalert/4218
http://securityreason.com/securityalert/8259
http://www.vupen.com/english/advisories/2008/2442
XForce ISS Database: awstatstotals-multisort-command-execution(44712)
https://exchange.xforce.ibmcloud.com/vulnerabilities/44712

Copyright Copyright (C) 2011 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.801893
Categoría:	Web application abuses
Título:	AWStats Totals 'sort' Parameter RCE Vulnerabilities
Resumen:	AWStats Totals is prone to remote command execution vulnerabilities.
Descripción:	Summary: AWStats Totals is prone to remote command execution vulnerabilities. Vulnerability Insight: The flaw is caused by improper validation of user-supplied input passed via the 'sort' parameter to 'multisort()' function, which allows attackers to execute arbitrary PHP code. Vulnerability Impact: Successful exploitation could allow remote attackers to execute arbitrary PHP commands by constructing specially crafted 'sort' parameters. Affected Software/OS: AWStats Totals versions 1.14 and prior. Solution: Upgrade to AWStats Totals version 1.15 or later. CVSS Score: 9.3 CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2008-3922 BugTraq ID: 30856 http://www.securityfocus.com/bid/30856 Bugtraq: 20080826 Multiple Vulnerabilities in AWStats Totals (Google Search) http://www.securityfocus.com/archive/1/495770/100/0/threaded http://www.exploit-db.com/exploits/17324 https://www.exploit-db.com/exploits/6368 http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt http://secunia.com/advisories/31630 http://securityreason.com/securityalert/4218 http://securityreason.com/securityalert/8259 http://www.vupen.com/english/advisories/2008/2442 XForce ISS Database: awstatstotals-multisort-command-execution(44712) https://exchange.xforce.ibmcloud.com/vulnerabilities/44712
Copyright	Copyright (C) 2011 Greenbone AG